Skip to content
Latchkey

step ca certificate: Get a Cert From a CA

step ca certificate obtains a certificate signed by an online step-ca, authenticating with a one-time provisioner token.

Where step certificate create makes a local cert, step ca certificate talks to a running CA. In CI you mint a short-lived token from a provisioner, then exchange it for a signed cert.

What it does

step ca certificate sends a CSR for the given subject to the configured step-ca and writes the returned certificate and key. It authenticates with a token from step ca token, or interactively via a provisioner.

Common usage

Terminal
# bootstrap trust to the CA once
step ca bootstrap --ca-url https://ca.internal:443 --fingerprint <sha256>
# mint a token, then get the cert non-interactively
TOKEN=$(step ca token svc.internal --provisioner ci)
step ca certificate svc.internal cert.pem key.pem --token "$TOKEN"

Options

FlagWhat it does
--token <jwt>One-time provisioner token authorizing the request
--provisioner <name>Provisioner to authenticate with
--san <name>Add a SAN (repeatable)
--ca-url <url>Address of the step-ca server
--root <file>Root CA cert to trust for the TLS connection
--not-after <dur>Requested validity duration

In CI

Run step ca bootstrap once with the CA fingerprint so the runner trusts the CA, then use step ca token to fetch a short-lived token. Storing the token in an env var and passing --token keeps the request non-interactive.

Common errors in CI

"error parsing token: token has expired" means the provisioner token TTL passed before the request; mint it right before use. "x509: certificate signed by unknown authority" means the runner has not bootstrapped the CA root; run step ca bootstrap or pass --root. "the provisioner ... does not exist" means a wrong --provisioner name.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →