85 lines
7.7 KiB
Markdown
85 lines
7.7 KiB
Markdown
# Step CLI
|
|
|
|
[![GitHub release](https://img.shields.io/github/release/smallstep/cli.svg)](https://github.com/smallstep/cli/releases)
|
|
[![CA Image](https://images.microbadger.com/badges/image/smallstep/step-cli.svg)](https://microbadger.com/images/smallstep/step-cli)
|
|
[![Go Report Card](https://goreportcard.com/badge/github.com/smallstep/cli)](https://goreportcard.com/report/github.com/smallstep/cli)
|
|
[![Build Status](https://travis-ci.com/smallstep/cli.svg?branch=master)](https://travis-ci.com/smallstep/cli)
|
|
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
|
|
[![CLA assistant](https://cla-assistant.io/readme/badge/smallstep/cli)](https://cla-assistant.io/smallstep/cli)
|
|
|
|
[![GitHub stars](https://img.shields.io/github/stars/smallstep/cli.svg?style=social)](https://github.com/smallstep/cli/stargazers)
|
|
[![Twitter followers](https://img.shields.io/twitter/follow/smallsteplabs.svg?label=Follow&style=social)](https://twitter.com/intent/follow?screen_name=smallsteplabs)
|
|
|
|
`step` is a toolkit for working with your *public key infrastructure* (PKI).
|
|
It's also the client counterpart to the [`step-ca`](https://github.com/smallstep/certificates) online Certificate Authority (CA).
|
|
|
|
Here's a quick example, combining `step oauth` and `step crypto` to get and verify the signature of a Google OAuth OIDC token:
|
|
|
|
![Animated terminal showing step in practice](https://smallstep.com/images/blog/2018-08-07-unfurl.gif)
|
|
|
|
**Questions? Ask us on [GitHub Discussions](https://github.com/smallstep/certificates/discussions) or [Gitter](https://gitter.im/smallstep/community).**
|
|
|
|
[Website](https://smallstep.com) |
|
|
[Documentation](https://smallstep.com/docs/step-cli) |
|
|
[Installation](https://smallstep.com/docs/step-cli/installation) |
|
|
[Getting Started](https://smallstep.com/docs/step-cli/basic-crypto-operations) |
|
|
[Contributor's Guide](./docs/CONTRIBUTING.md)
|
|
|
|
## Features
|
|
|
|
Step CLI's command groups illustrate some of its uses:
|
|
- [`step certificate`](https://smallstep.com/docs/step-cli/reference/certificate/): Work with X.509 (TLS/HTTPS) certificates.
|
|
- Create, revoke, validate, lint, and bundle X.509 certificates.
|
|
- Install (and remove) X.509 certificates into your system's (and brower's) trust store.
|
|
- Create key pairs (RSA, ECDSA, EdDSA) and certificate signing requests (CSRs)
|
|
- [Sign CSRs](https://smallstep.com/docs/step-cli/reference/certificate/sign/)
|
|
- Create [RFC5280](https://tools.ietf.org/html/rfc5280) and [CA/Browser Forum](https://cabforum.org/baseline-requirements-documents/)-compliant certificates that work for TLS and HTTPS
|
|
- [Create](https://smallstep.com/docs/step-cli/reference/certificate/create/) CA certificates (root and intermediate signing certificates)
|
|
- Create self-signed & CA-signed certificates
|
|
- [Inspect](https://smallstep.com/docs/step-cli/reference/certificate/inspect/) and [lint](https://smallstep.com/docs/step-cli/reference/certificate/lint/) certificates on disk or in use by a remote server
|
|
- [Install root certificates](https://smallstep.com/docs/step-cli/reference/certificate/install/) so your CA is trusted by default (issue development certificates **that [work in browsers](https://smallstep.com/blog/step-v0-8-6-valid-HTTPS-certificates-for-dev-pre-prod.html)**)
|
|
|
|
- [`step ca`](https://smallstep.com/docs/step-cli/reference/ca/): Set up your own CA, or make requests of any ACMEv2 ([RFC8555](https://tools.ietf.org/html/rfc8555)) CA, including [`step-ca`](https://github.com/smallstep/certificates). ACME is the protocol used by Let's Encrypt to automate the issuance of HTTPS certificates.
|
|
- Initialize an X.509 and/or SSH CA in one command
|
|
- [Authenticate and obtain a certificate](https://smallstep.com/docs/step-cli/reference/ca/certificate/) using any enrollment mechanism supported by [`step-ca`](https://github.com/smallstep/certificates)
|
|
- Securely [distribute root certificates](https://smallstep.com/docs/step-cli/reference/ca/root/) and [bootstrap](https://smallstep.com/docs/step-cli/reference/ca/bootstrap/) PKI relying parties
|
|
- [Renew](https://smallstep.com/docs/step-cli/reference/ca/renew/) and [revoke](https://smallstep.com/docs/step-cli/reference/ca/revoke/) certificates issued by [`step-ca`](https://github.com/smallstep/certificates)
|
|
- [Submit CSRs](https://smallstep.com/docs/step-cli/reference/ca/sign/) to be signed by [`step-ca`](https://github.com/smallstep/certificates)
|
|
|
|
- [`step crypto`](https://smallstep.com/docs/step-cli/reference/crypto/): A general-purpose crypto toolkit
|
|
- Work with [JWTs](https://jwt.io) ([RFC7519](https://tools.ietf.org/html/rfc7519)) and [other JOSE constructs](https://datatracker.ietf.org/wg/jose/documents/)
|
|
- [Sign](https://smallstep.com/docs/step-cli/reference/crypto/jwt/sign), [verify](https://smallstep.com/docs/step-cli/reference/crypto/jwt/verify), and [inspect](https://smallstep.com/docs/step-cli/reference/crypto/jwt/inspect) JSON Web Tokens (JWTs)
|
|
- [Sign](https://smallstep.com/docs/step-cli/reference/crypto/jws/sign), [verify](https://smallstep.com/docs/step-cli/reference/crypto/jws/verify), and [inspect](https://smallstep.com/docs/step-cli/reference/crypto/jws/inspect/) arbitrary data using JSON Web Signature (JWS)
|
|
- [Encrypt](https://smallstep.com/docs/step-cli/reference/crypto/jwe/encrypt/) and [decrypt](https://smallstep.com/docs/step-cli/reference/crypto/jwe/decrypt/) data and wrap private keys using JSON Web Encryption (JWE)
|
|
- [Create JWKs](https://smallstep.com/docs/step-cli/reference/crypto/jwk/create/) and [manage key sets](https://smallstep.com/docs/step-cli/reference/crypto/jwk/keyset) for use with JWT, JWE, and JWS
|
|
- [Generate and verify](https://smallstep.com/docs/step-cli/reference/crypto/otp/) TOTP tokens for multi-factor authentication (MFA)
|
|
- Work with [NaCl](https://nacl.cr.yp.to/)'s high-speed tools for encryption and
|
|
signing
|
|
- [Apply key derivation functions](https://smallstep.com/docs/step-cli/reference/crypto/kdf/) (KDFs) and [verify passwords](https://smallstep.com/docs/step-cli/reference/crypto/kdf/compare/) using `scrypt`, `bcrypt`, and `argo2`
|
|
- Generate and check [file hashes](https://smallstep.com/docs/step-cli/reference/crypto/hash/)
|
|
- [`step oauth`](https://smallstep.com/docs/step-cli/reference/oauth/): Add an OAuth 2.0 single sign-on flow to any CLI application.
|
|
- Supports OAuth authorization code, out-of-band (OOB), JWT bearer, and refresh token flows
|
|
- Get OAuth access tokens and OIDC identity tokens at the command line from any provider.
|
|
- Verify OIDC identity tokens (`step crypto jwt verify`)
|
|
- [`step ssh`](https://smallstep.com/docs/step-cli/reference/ssh/): Create and manage SSH certificates (requires an online or offline [`step-ca`](https://github.com/smallstep/certificates) instance)
|
|
- Generate SSH user and host key pairs and short-lived certificates
|
|
- Add and remove certificates to the SSH agent
|
|
- Inspect SSH certificates
|
|
- Login and use [single sign-on SSH](https://smallstep.com/blog/diy-single-sign-on-for-ssh/)
|
|
|
|
## Installation
|
|
|
|
See our installation docs [here](https://smallstep.com/docs/step-cli/installation).
|
|
|
|
## Community
|
|
|
|
* Connect with `step` users on [GitHub Discussions](https://github.com/smallstep/certificates/discussions) or [Gitter](https://gitter.im/smallstep/community)
|
|
* [Open an issue](https://github.com/smallstep/cli/issues/new/choose) and tell us what features you'd like to see
|
|
* [Follow Smallstep on Twitter](https://twitter.com/smallsteplabs)
|
|
|
|
## Further Reading
|
|
|
|
* [Full documentation for `step`](https://smallstep.com/docs/step-cli)
|
|
* We have more examples of `step` and `step-ca` in action on [the Smallstep blog](https://smallstep.com/blog).
|
|
* If you're new to PKI and X.509 certificates, or you want a refresher on the core concepts, you may enjoy [Everything PKI](https://smallstep.com/blog/everything-pki/).
|