🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
Step CLI
step is an easy-to-use CLI tool for building, operating, and automating Public Key Infrastructure (PKI) systems and workflows. It's also a client for the step-ca online Certificate Authority (CA) server. You can use it for many common crypto and X.509 operations—either independently, or with an online CA.
Questions? Ask us on GitHub Discussions or Discord.
Website | Documentation | Installation | Basic Crypto Operations | Contributor's Guide
Features
Step CLI's command groups illustrate its wide-ranging uses:
step certificate: Work with X.509 (TLS/HTTPS) certificates.
step ca: Administer and use astep-caserver, or any ACMEv2 (RFC8555) compliant CA server. ACME is the protocol used by Let's Encrypt to automate the issuance of HTTPS certificates.
step-ca
- Securely distribute root certificates and bootstrap PKI relying parties
- Renew and revoke certificates issued by step-ca
- Submit CSRs to be signed by step-ca
- With an ACME CA, step supports the http-01 challenge type
step crypto: A general-purpose crypto toolkit
scrypt, bcrypt, and argon2
- Generate and check file hashes
step oauth: Add an OAuth 2.0 single sign-on flow to any CLI application.
step crypto jwt verify)
- Generate SSH user and host key pairs and short-lived certificates
- Add and remove certificates to the SSH agent
- Inspect SSH certificates
- Login and use single sign-on SSH
Installation
See our installation docs here.
Example
Here's a quick example, combining step oauth and step crypto to get and verify the signature of a Google OAuth OIDC token:

Plugins
A plugin is an executable file named using the format step-<name>-plugin. Plugins must be available in your $PATH or in the $STEPPATH/plugins directory (that's $HOME/.step/plugins, by default).
When you run step <name>, the CLI will automatically execute the corresponding plugin, if found.
Some known plugins include:
- step-kms-plugin: Manage
step-kms-plugin is also integrated directly into step to create certificates, generate CSRs, sign tokens, and more using KMS-backed keys.
Community
- Connect with
stepusers on GitHub Discussions or Discord - Open an issue and tell us what features you'd like to see
- Contribute to the
stepcodebase - Follow Smallstep on Twitter
Further Reading
- Full documentation for
step - We have more examples of
stepandstep-cain action on the Smallstep blog. - If you're new to PKI and X.509 certificates, or you want a refresher on the core concepts, you may enjoy Everything PKI.