step certificate create: Make Test Certs
step certificate create generates a certificate and key with one command, self-signed by default or signed by a CA you supply.
step (smallstep) is a friendlier front end to X.509 than raw openssl. For a test cert it beats the multi-command openssl dance: subject, SANs, key, and cert in one call.
What it does
step certificate create takes a subject and writes a certificate and private key. Without a CA it is self-signed; with --ca and --ca-key it is signed by that CA. --profile picks the certificate role (leaf, intermediate-ca, self-signed).
Common usage
step certificate create localhost cert.pem key.pem \
--profile self-signed --subtle \
--san localhost --san 127.0.0.1 --no-password --insecure
# signed by a local CA
step certificate create svc cert.pem key.pem \
--ca ca.pem --ca-key ca-key.pem --no-password --insecureOptions
| Flag | What it does |
|---|---|
| --profile <p> | leaf, intermediate-ca, root-ca, or self-signed |
| --san <name> | Add a SAN (repeatable) |
| --ca <file> --ca-key <file> | CA cert and key to sign with |
| --not-after <dur> | Validity, e.g. 24h or 8760h |
| --no-password | Do not encrypt the private key |
| --insecure | Required with --no-password (acknowledge no encryption) |
In CI
Pass --no-password --insecure so the key is written unencrypted and no prompt blocks the job. --profile self-signed also needs --subtle. Set a short --not-after since the cert only lives for the test.
Common errors in CI
"flag --no-password requires --insecure" means you must add --insecure to acknowledge an unencrypted key. "profile self-signed is subtle, use --subtle" reminds you self-signed leaf certs need that flag. "open cert.pem: permission denied" means the output directory is read-only; write to $RUNNER_TEMP.