step is an easy-to-use CLI tool for building, operating, and automating Public Key Infrastructure (PKI) systems and workflows.
It's also a client for the step-ca online Certificate Authority (CA) server.
You can use it for many common crypto and X.509 operations—either independently, or with an online CA.
Questions? Ask us on GitHub Discussions or Discord.
Website | Documentation | Installation | Basic Crypto Operations | Contributor's Guide
Step CLI's command groups illustrate its wide-ranging uses:
step certificate: Work with X.509 (TLS/HTTPS) certificates.Install root certificates so your CA is trusted by default (issue development certificates that work in browsers)
step ca: Administer and use a step-ca server, or any ACMEv2 (RFC8555) compliant CA server. ACME is the protocol used by Let's Encrypt to automate the issuance of HTTPS certificates.
step-castep-castep-caWith an ACME CA, step supports the http-01 challenge type
step crypto: A general-purpose crypto toolkit
scrypt, bcrypt, and argon2Generate and check file hashes
step oauth: Add an OAuth 2.0 single sign-on flow to any CLI application.
Verify OIDC identity tokens (step crypto jwt verify)
step ssh: Create and manage SSH certificates (requires an online or offline step-ca instance)
See our installation docs here.
Here's a quick example, combining step oauth and step crypto to get and verify the signature of a Google OAuth OIDC token:

A plugin is an executable file named using the format step-<name>-plugin.
Plugins must be available in your $PATH or in the $STEPPATH/plugins
directory (that's $HOME/.step/plugins, by default).
When you run step <name>, the CLI will automatically execute the corresponding
plugin, if found.
Some known plugins include:
step-kms-plugin is also integrated directly into step to create
certificates, generate CSRs, sign tokens, and more using KMS-backed keys.
step users on GitHub Discussions or Discordstep codebasestepstep and step-ca in action on the Smallstep blog.