step ca certificate: Get a Cert From a CA
step ca certificate obtains a certificate signed by an online step-ca, authenticating with a one-time provisioner token.
Where step certificate create makes a local cert, step ca certificate talks to a running CA. In CI you mint a short-lived token from a provisioner, then exchange it for a signed cert.
What it does
step ca certificate sends a CSR for the given subject to the configured step-ca and writes the returned certificate and key. It authenticates with a token from step ca token, or interactively via a provisioner.
Common usage
# bootstrap trust to the CA once
step ca bootstrap --ca-url https://ca.internal:443 --fingerprint <sha256>
# mint a token, then get the cert non-interactively
TOKEN=$(step ca token svc.internal --provisioner ci)
step ca certificate svc.internal cert.pem key.pem --token "$TOKEN"Options
| Flag | What it does |
|---|---|
| --token <jwt> | One-time provisioner token authorizing the request |
| --provisioner <name> | Provisioner to authenticate with |
| --san <name> | Add a SAN (repeatable) |
| --ca-url <url> | Address of the step-ca server |
| --root <file> | Root CA cert to trust for the TLS connection |
| --not-after <dur> | Requested validity duration |
In CI
Run step ca bootstrap once with the CA fingerprint so the runner trusts the CA, then use step ca token to fetch a short-lived token. Storing the token in an env var and passing --token keeps the request non-interactive.
Common errors in CI
"error parsing token: token has expired" means the provisioner token TTL passed before the request; mint it right before use. "x509: certificate signed by unknown authority" means the runner has not bootstrapped the CA root; run step ca bootstrap or pass --root. "the provisioner ... does not exist" means a wrong --provisioner name.