MCPcopy
hub / github.com/smallstep/cli

github.com/smallstep/cli @v0.30.6 sqlite

repository ↗ · DeepWiki ↗ · release v0.30.6 ↗
1,151 symbols 4,685 edges 222 files 372 documented · 32%
README

Step CLI

GitHub release Go Report Card Build Status License CLA assistant

GitHub stars Twitter followers

step is an easy-to-use CLI tool for building, operating, and automating Public Key Infrastructure (PKI) systems and workflows. It's also a client for the step-ca online Certificate Authority (CA) server. You can use it for many common crypto and X.509 operations—either independently, or with an online CA.

Questions? Ask us on GitHub Discussions or Discord.

Website | Documentation | Installation | Basic Crypto Operations | Contributor's Guide

Features

Step CLI's command groups illustrate its wide-ranging uses:

  • step certificate: Work with X.509 (TLS/HTTPS) certificates.
  • Create, revoke, validate, lint, and bundle X.509 certificates.
  • Install (and remove) X.509 certificates into your system's (and browser's) trust store.
  • Validate certificate deployment and renewal status for automation
  • Create key pairs (RSA, ECDSA, EdDSA) and certificate signing requests (CSRs)
  • Sign CSRs
  • Create RFC5280 and CA/Browser Forum-compliant certificates that work for TLS and HTTPS
  • Create CA certificates (root and intermediate signing certificates)
  • Create self-signed & CA-signed certificates
  • Inspect and lint certificates on disk or in use by a remote server
  • Install root certificates so your CA is trusted by default (issue development certificates that work in browsers)

  • step ca: Administer and use a step-ca server, or any ACMEv2 (RFC8555) compliant CA server. ACME is the protocol used by Let's Encrypt to automate the issuance of HTTPS certificates.

  • Initialize an X.509 and/or SSH CA in one command
  • Authenticate and obtain a certificate using any enrollment mechanism supported by step-ca
  • Securely distribute root certificates and bootstrap PKI relying parties
  • Renew and revoke certificates issued by step-ca
  • Submit CSRs to be signed by step-ca
  • With an ACME CA, step supports the http-01 challenge type

  • step crypto: A general-purpose crypto toolkit

  • Work with JWTs (RFC7519) and other JOSE constructs
  • Generate and verify TOTP tokens for multi-factor authentication (MFA)
  • Work with NaCl's high-speed tools for encryption and signing
  • Apply key derivation functions (KDFs) and verify passwords using scrypt, bcrypt, and argon2
  • Generate and check file hashes

  • step oauth: Add an OAuth 2.0 single sign-on flow to any CLI application.

  • Supports OAuth authorization code, out-of-band (OOB), JWT bearer, and refresh token flows
  • Get OAuth access tokens and OIDC identity tokens at the command line from any provider.
  • Verify OIDC identity tokens (step crypto jwt verify)

  • step ssh: Create and manage SSH certificates (requires an online or offline step-ca instance)

  • Generate SSH user and host key pairs and short-lived certificates
  • Add and remove certificates to the SSH agent
  • Inspect SSH certificates
  • Login and use single sign-on SSH

Installation

See our installation docs here.

Example

Here's a quick example, combining step oauth and step crypto to get and verify the signature of a Google OAuth OIDC token:

Animated terminal showing step in practice

Plugins

A plugin is an executable file named using the format step-<name>-plugin. Plugins must be available in your $PATH or in the $STEPPATH/plugins directory (that's $HOME/.step/plugins, by default).

When you run step <name>, the CLI will automatically execute the corresponding plugin, if found.

Some known plugins include:

  • step-kms-plugin: Manage keys and certificates stored in a KMS, including HSMs, TPMs, YubiKeys, the macOS Keychain, and cloud KMSs.
  • step-kmsproxy-plugin: Provides an HSM/KMS-backed authenticating proxy for mTLS services. Thanks to @andsens for creating and maintaining this plugin!

step-kms-plugin is also integrated directly into step to create certificates, generate CSRs, sign tokens, and more using KMS-backed keys.

Community

Further Reading

Extension points exported contracts — how you extend this code

CaClient (Interface)
CaClient is the interface implemented by a client used to sign, renew, revoke certificates among other things. [1 implementers]
utils/cautils/client.go
Attestor (Interface)
Attestor is the interface implemented by step-kms-plugin using the key, sign, and attest commands. [1 implementers]
internal/cryptoutil/cryptoutil.go
Token (Interface)
Token interface which all token types should attempt to implement. [1 implementers]
token/token.go
KDF (FuncType)
KDF is the type that all the key derivation functions implements. The current methods uses safe default values, but futu
internal/kdf/kdf.go
ShellOption (FuncType)
ShellOption is the type used to add new options to the shell.
internal/sshutil/shell.go
Options (FuncType)
Options is a function that set claims.
token/options.go
Option (Interface)
(no doc) [2 implementers]
utils/cautils/certificate_flow.go
AgentOption (FuncType)
AgentOption is the type used for variadic options in Agent methods.
internal/sshutil/agent.go

Core symbols most depended-on inside this repo

String
called by 585
internal/crlutil/signature_algorithms.go
Run
called by 89
utils/cautils/acmeutils.go
Set
called by 56
token/token.go
Close
called by 48
internal/sshutil/shell.go
Error
called by 36
utils/cautils/bootstrap.go
Public
called by 33
internal/cryptoutil/cryptoutil.go
ReadFile
called by 32
utils/read.go
NewAdminClient
called by 21
utils/cautils/client.go

Shape

Function 851
Method 170
Struct 103
Interface 12
FuncType 8
TypeAlias 7

Languages

Go100%

Modules by API surface

utils/cautils/acmeutils.go31 symbols
utils/cautils/offline.go28 symbols
command/oauth/cmd.go25 symbols
command/ca/provisioner/caConfigClient.go25 symbols
utils/cautils/tpm.go24 symbols
command/ca/policy/policycontext/context.go24 symbols
utils/cautils/client.go22 symbols
token/options.go22 symbols
integration/crypto_test.go22 symbols
command/ca/provisioner/add.go21 symbols
internal/cryptoutil/cryptoutil.go20 symbols
utils/cautils/certificate_flow.go19 symbols

Used by 1 indexed graphs manifest dependencies, hub-wide

Dependencies from manifests, versioned

cloud.google.com/gov0.123.0 · 1×
cloud.google.com/go/authv0.20.0 · 1×
cloud.google.com/go/auth/oauth2adaptv0.2.8 · 1×
cloud.google.com/go/compute/metadatav0.9.0 · 1×
cloud.google.com/go/longrunningv0.9.0 · 1×
cloud.google.com/go/securityv1.19.2 · 1×
dario.cat/mergov1.0.2 · 1×
filippo.io/bigmodv0.1.0 · 1×
filippo.io/edwards25519v1.2.0 · 1×
github.com/AndreasBriese/bbloomv0.0.0-2019082515265 · 1×
github.com/Azure/azure-sdk-for-go/sdk/azcorev1.21.1 · 1×

For agents

$ claude mcp add cli \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact