Skip to content
Latchkey

step certificate create: Make Test Certs

step certificate create generates a certificate and key with one command, self-signed by default or signed by a CA you supply.

step (smallstep) is a friendlier front end to X.509 than raw openssl. For a test cert it beats the multi-command openssl dance: subject, SANs, key, and cert in one call.

What it does

step certificate create takes a subject and writes a certificate and private key. Without a CA it is self-signed; with --ca and --ca-key it is signed by that CA. --profile picks the certificate role (leaf, intermediate-ca, self-signed).

Common usage

Terminal
step certificate create localhost cert.pem key.pem \
  --profile self-signed --subtle \
  --san localhost --san 127.0.0.1 --no-password --insecure
# signed by a local CA
step certificate create svc cert.pem key.pem \
  --ca ca.pem --ca-key ca-key.pem --no-password --insecure

Options

FlagWhat it does
--profile <p>leaf, intermediate-ca, root-ca, or self-signed
--san <name>Add a SAN (repeatable)
--ca <file> --ca-key <file>CA cert and key to sign with
--not-after <dur>Validity, e.g. 24h or 8760h
--no-passwordDo not encrypt the private key
--insecureRequired with --no-password (acknowledge no encryption)

In CI

Pass --no-password --insecure so the key is written unencrypted and no prompt blocks the job. --profile self-signed also needs --subtle. Set a short --not-after since the cert only lives for the test.

Common errors in CI

"flag --no-password requires --insecure" means you must add --insecure to acknowledge an unencrypted key. "profile self-signed is subtle, use --subtle" reminds you self-signed leaf certs need that flag. "open cert.pem: permission denied" means the output directory is read-only; write to $RUNNER_TEMP.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →