# smallstep/cli

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/smallstep-cli).**

4,255 stars · 302 forks · Go · Apache-2.0

## Links

- GitHub: https://github.com/smallstep/cli
- Homepage: https://smallstep.com/cli
- awesome-repositories: https://awesome-repositories.com/repository/smallstep-cli.md

## Topics

`certificate` `cryptography` `encryption` `jose` `jwe` `jws` `jwt` `mfa` `oath` `oauth` `security` `security-tools` `ssh` `sso` `tls` `totp` `x509`

## Description

This project is a command-line tool for managing public key infrastructure and digital identities. It provides a comprehensive suite for X.509 certificate lifecycle management, including the generation, signing, renewal, and revocation of certificates and signing requests.

The tool distinguishes itself through specialized security capabilities such as binding cryptographic credentials to TPMs and HSMs for hardware-backed identity attestation. It also provides dedicated support for machine identity security, using short-lived SSH certificates and mTLS to secure non-human workloads.

Broad capabilities include a JOSE cryptography toolkit for managing JSON Web Tokens and Keys, an OAuth and OIDC client for authorization flows, and an ACME client for automated TLS provisioning. The toolset also covers general cryptographic utilities, system trust store management, and certificate authority administration.

The toolchain can be extended via path-based plugin discovery to add new subcommands.

## Tags

### Security & Cryptography

- [Certificate Lifecycle Management](https://awesome-repositories.com/f/security-cryptography/certificate-lifecycle-management.md) — Provides a comprehensive suite for the issuance, rotation, and revocation of digital certificates. ([source](https://smallstep.com/docs/step-cli/reference/ca/))
- [X.509 Management Utilities](https://awesome-repositories.com/f/security-cryptography/identity-access-management/identity-management/server-authenticity-verification/certificate-based-authentication/x-509-certificate-parsing-and-validation/x-509-management-utilities.md) — Provides comprehensive X.509 certificate management including generation, signing, and revocation. ([source](https://cdn.jsdelivr.net/gh/smallstep/cli@master/README.md))
- [Public Key Infrastructure](https://awesome-repositories.com/f/security-cryptography/public-key-infrastructure.md) — Provides comprehensive management of public key infrastructure, including certificate authorities and issuance policies.
- [ACME Certificate Provisioners](https://awesome-repositories.com/f/security-cryptography/acme-certificate-provisioners.md) — Obtains TLS certificates from ACME servers using HTTP servers or webroot validation. ([source](https://smallstep.com/docs/step-cli/basic-crypto-operations/))
- [ACME Clients](https://awesome-repositories.com/f/security-cryptography/acme-clients.md) — Implements the ACME protocol as a command-line tool for automated certificate lifecycle management.
- [Asymmetric Key Generators](https://awesome-repositories.com/f/security-cryptography/asymmetric-key-generators.md) — Creates public and private keypairs in PEM or JSON formats for encryption and signing. ([source](https://smallstep.com/docs/step-cli/reference/crypto/))
- [Certificate Authorities](https://awesome-repositories.com/f/security-cryptography/certificate-authorities.md) — Sets up the initial configuration and public key infrastructure needed to start a certificate authority. ([source](https://smallstep.com/docs/step-cli/reference/ca/))
- [Certificate Automation Protocols](https://awesome-repositories.com/f/security-cryptography/certificate-automation-protocols.md) — Bootstraps and manages servers to issue, renew, and revoke certificates using automated protocols. ([source](https://cdn.jsdelivr.net/gh/smallstep/cli@master/README.md))
- [Certificate Renewal Managers](https://awesome-repositories.com/f/security-cryptography/certificate-renewal-managers.md) — Automates the periodic renewal of expiring certificates based on defined thresholds. ([source](https://smallstep.com/docs/step-cli/reference/ca/renew/))
- [Certificate Revocations](https://awesome-repositories.com/f/security-cryptography/certificate-revocations.md) — Invalidates certificates by serial number to prevent further use of compromised credentials. ([source](https://smallstep.com/docs/step-cli/reference/ca/revoke/))
- [Certificate Signing Request Generation](https://awesome-repositories.com/f/security-cryptography/certificate-signing-request-generation.md) — Creates certificates or signing requests using profiles and templates for identity purposes. ([source](https://smallstep.com/docs/step-cli/reference/certificate/create/))
- [Certificate Signing](https://awesome-repositories.com/f/security-cryptography/certificate-signing-request-managers/certificate-signing.md) — Signs certificate requests using a private key to issue valid identities. ([source](https://smallstep.com/docs/step-cli/reference/certificate/))
- [Cryptographic Primitives](https://awesome-repositories.com/f/security-cryptography/cryptographic-primitives.md) — Provides a suite of identity operations based on industry-standard X.509, JOSE, and OAuth2 specifications.
- [Certificate Authority Management](https://awesome-repositories.com/f/security-cryptography/cryptography/ssl-tls-certificate-management/certificate-authority-management.md) — Manages provisioners and administrators to control access to certificate request capabilities. ([source](https://smallstep.com/docs/step-cli/reference/ca/))
- [Hardware Identity Attestations](https://awesome-repositories.com/f/security-cryptography/device-attestation-provisioning/hardware-identity-attestations.md) — Binds credentials to hardware and provides cryptographic proofs for device identity attestation.
- [Trust Store Managers](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/development-security-infrastructure/trust-store-managers.md) — Automates the installation and removal of root certificates within the operating system trust store.
- [Hardware Key Binding](https://awesome-repositories.com/f/security-cryptography/identity-based-access-control/credential-based-access-controls/access-point-credentials/hardware-key-binding.md) — Binds cryptographic credentials to TPMs and HSMs to prevent key exfiltration and ensure hardware-backed identity.
- [Hardware Security Module Integrations](https://awesome-repositories.com/f/security-cryptography/identity-key-management/hardware-security-module-integrations.md) — Manages keys and certificates stored in HSMs, TPMs, and cloud-based key management systems. ([source](https://cdn.jsdelivr.net/gh/smallstep/cli@master/README.md))
- [General Certificate Integrity Validations](https://awesome-repositories.com/f/security-cryptography/identity-servers/certificate-trust-validation/iot-certificate-validations/general-certificate-integrity-validations.md) — Inspects certificate contents and verifies digital signatures against root anchors to ensure trust. ([source](https://smallstep.com/docs/step-cli/reference/certificate/))
- [JSON Web Tokens](https://awesome-repositories.com/f/security-cryptography/json-web-tokens.md) — Provides comprehensive tools for generating and signing JSON Web Tokens and Keys. ([source](https://smallstep.com/docs/step-cli))
- [Hardware-Backed Key Storage](https://awesome-repositories.com/f/security-cryptography/key-management/hardware-backed-key-storage.md) — Binds cryptographic credentials to TPMs and HSMs to prevent key exfiltration and ensure authenticity.
- [Machine Identity](https://awesome-repositories.com/f/security-cryptography/machine-identity.md) — Secures non-human workloads using mTLS, hardware attestation, and short-lived SSH certificates.
- [OAuth and OpenID Connect Libraries](https://awesome-repositories.com/f/security-cryptography/oauth-and-openid-connect-libraries.md) — Provides a unified client for implementing OAuth and OpenID Connect authorization flows. ([source](https://smallstep.com/docs/step-cli/reference/))
- [OAuth Flow Implementations](https://awesome-repositories.com/f/security-cryptography/oauth-authentication/oauth-token-retrievals/oauth-flow-implementations.md) — Implements full OAuth 2.0 authorization flows including authorization code and refresh token flows. ([source](https://cdn.jsdelivr.net/gh/smallstep/cli@master/README.md))
- [OAuth Token Management](https://awesome-repositories.com/f/security-cryptography/oauth-token-management.md) — Manages the lifecycle of OAuth tokens and processes API authorization workflows. ([source](https://smallstep.com/docs/step-cli/))
- [PKI Management](https://awesome-repositories.com/f/security-cryptography/pki-management.md) — Bootstraps and manages certificate authorities, trust stores, and issuance policies to maintain a root of trust.
- [Certificate Chain Validation](https://awesome-repositories.com/f/security-cryptography/security/utilities/certificate-trust-managers/trust-anchor-management/external-trust-bootstrapping/certificate-chain-validation.md) — Implements recursive validation of certificate chains to establish a verifiable path to a trusted root authority.
- [Root Certificate Generators](https://awesome-repositories.com/f/security-cryptography/tls-certificate-management/self-signed-certificate-generators/root-certificate-generators.md) — Creates self-signed root certificates and leaf certificates with associated private keys. ([source](https://smallstep.com/docs/step-cli/reference/certificate/))
- [Context Switching](https://awesome-repositories.com/f/security-cryptography/api-access-control/endpoint-controls/endpoint-configurations/ca-server-configurations/context-switching.md) — Configures and switches between different certificate authority environments to organize deployments. ([source](https://smallstep.com/docs/step-cli/reference/))
- [Signed JWT Generation](https://awesome-repositories.com/f/security-cryptography/asymmetric-signing/signed-jwt-generation.md) — Generates compact signed JSON Web Tokens (JWS) using secret or private keys. ([source](https://smallstep.com/docs/step-cli/reference/crypto/jwt/sign))
- [Certificate Issuance Policies](https://awesome-repositories.com/f/security-cryptography/certificate-issuance-policies.md) — Defines and enforces the rules and administrative controls under which certificates are issued. ([source](https://smallstep.com/docs/step-cli/reference/ca/))
- [Cryptographic Hash Generation](https://awesome-repositories.com/f/security-cryptography/cryptographic-hash-generation.md) — Produces and verifies cryptographic hashes for files and directories to ensure integrity. ([source](https://smallstep.com/docs/step-cli/reference/crypto/))
- [Data Encryption](https://awesome-repositories.com/f/security-cryptography/data-encryption.md) — Signs and encrypts raw data using high-speed cryptographic primitives. ([source](https://smallstep.com/docs/step-cli/basic-crypto-operations/))
- [JSON Web Encryption](https://awesome-repositories.com/f/security-cryptography/encryption-key-files/payload-encryptions/json-web-encryption.md) — Encrypts data using the JWE standard to create secure, structured data objects. ([source](https://smallstep.com/docs/step-cli/reference/crypto/jwe/encrypt/))
- [Certificate Inspection Tools](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/security-infrastructure/tls-certificate-management/certificate-inspection-tools.md) — Parses certificates or requests to display attributes in human-readable or structured formats. ([source](https://smallstep.com/docs/step-cli/reference/certificate/inspect/))
- [SSH Certificate Inspection](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/security-infrastructure/tls-certificate-management/certificate-inspection-tools/ssh-certificate-inspection.md) — Analyzes the properties and metadata of SSH certificates to verify access permissions. ([source](https://smallstep.com/docs/step-cli))
- [Revocation List Management](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/security-infrastructure/tls-certificate-management/certificate-revocation-validation/revocation-list-management.md) — Maintains lists of revoked certificates to prevent compromised keys from being trusted. ([source](https://smallstep.com/docs/step-cli/reference/))
- [JOSE Specifications](https://awesome-repositories.com/f/security-cryptography/json-web-encryption/jose-specifications.md) — Implements the full JOSE suite for creating and verifying JSON Web Tokens, Keys, and encrypted payloads. ([source](https://smallstep.com/docs/step-cli/basic-crypto-operations))
- [Toolkits](https://awesome-repositories.com/f/security-cryptography/json-web-encryption/jose-specifications/toolkits.md) — Provides a complete JOSE toolkit for managing JSON Web Tokens, Keys, Signatures, and Encryption.
- [JSON Web Signatures](https://awesome-repositories.com/f/security-cryptography/json-web-signatures.md) — Implements the JWS standard to create digitally signed payloads for secure data exchange. ([source](https://smallstep.com/docs/step-cli/reference/crypto/jws/sign))
- [JWT Decoders](https://awesome-repositories.com/f/security-cryptography/jwt-authentication/jwt-decoders.md) — Provides utilities to extract and inspect JWT headers and payloads without signature verification. ([source](https://smallstep.com/docs/step-cli/reference/crypto/jwt/inspect))
- [Signature Verification](https://awesome-repositories.com/f/security-cryptography/jwt-authentication/jwt-decoders/signature-verification.md) — Validates the authenticity of JWS tokens by verifying signatures against expected keys and algorithms. ([source](https://smallstep.com/docs/step-cli/reference/crypto/jws/verify))
- [JSON Web](https://awesome-repositories.com/f/security-cryptography/key-management/json-web.md) — Generates and manages cryptographic keys following the JSON Web Key (JWK) standard. ([source](https://smallstep.com/docs/step-cli/reference/crypto/jwk/create/))
- [MFA Token Generators](https://awesome-repositories.com/f/security-cryptography/mfa-token-generators.md) — Produces time-based one-time password secrets and QR codes for multi-factor authentication. ([source](https://smallstep.com/docs/step-cli/basic-crypto-operations))
- [JSON Web Encryption Decryptions](https://awesome-repositories.com/f/security-cryptography/network-payload-decryptions/json-web-encryption-decryptions.md) — Decodes and decrypts JWE compact strings back into their original plaintext format. ([source](https://smallstep.com/docs/step-cli/reference/crypto/jwe/decrypt/))
- [One-Time Passwords](https://awesome-repositories.com/f/security-cryptography/one-time-passwords.md) — Creates and verifies time-based or counter-based one-time passwords. ([source](https://smallstep.com/docs/step-cli/reference/crypto/))
- [Key Derivation Functions](https://awesome-repositories.com/f/security-cryptography/password-management/key-derivation-functions.md) — Implements key derivation functions to securely transform passwords into cryptographic keys. ([source](https://smallstep.com/docs/step-cli/reference/crypto/))
- [PKI Profile Management](https://awesome-repositories.com/f/security-cryptography/pki-profile-management.md) — Switches between different authority configurations and client profiles to support multiple toolchains. ([source](https://smallstep.com/docs/step-cli/the-step-command/))
- [Non-Human Identity Management](https://awesome-repositories.com/f/security-cryptography/security-trust-models/non-human-identity-management.md) — Implements cryptographic identities and mTLS for authenticating AI agents and internal workloads. ([source](https://smallstep.com/))
- [Certificate Trust Managers](https://awesome-repositories.com/f/security-cryptography/security/utilities/certificate-trust-managers.md) — Adds root certificates to system or browser trust stores to establish a trusted chain. ([source](https://smallstep.com/docs/step-cli/reference/certificate/install/))
- [Chain Bundling](https://awesome-repositories.com/f/security-cryptography/security/utilities/certificate-trust-managers/trust-anchor-management/external-trust-bootstrapping/certificate-chain-validation/chain-bundling.md) — Combines end-entity certificates with intermediate certificates to enable full path validation. ([source](https://smallstep.com/docs/step-cli/reference/certificate/))
- [SSH Certificate Management](https://awesome-repositories.com/f/security-cryptography/ssh-certificate-management.md) — Generates short-lived SSH user and host certificates and integrates them with the SSH agent. ([source](https://cdn.jsdelivr.net/gh/smallstep/cli@master/README.md))
- [System Trust Stores](https://awesome-repositories.com/f/security-cryptography/system-trust-stores.md) — Adds or removes certificates from the operating system trust store to manage trusted roots. ([source](https://smallstep.com/docs/step-cli))
- [JWT Signing and Verification](https://awesome-repositories.com/f/security-cryptography/token-authentication/token-signature-verification/jwt-signing-and-verification.md) — Validates a JWT's signature, expiration, and issuer to ensure token integrity and authenticity. ([source](https://smallstep.com/docs/step-cli/reference/crypto/jwt/verify))

### Networking & Communication

- [JWT Payload Inspection](https://awesome-repositories.com/f/networking-communication/packet-capture-drivers/raw-packet-inspection/formatted-payload-inspections/jwt-payload-inspection.md) — Decodes JSON Web Signature structures to display payloads without requiring cryptographic verification. ([source](https://smallstep.com/docs/step-cli/reference/crypto/jws/inspect/))

### Software Engineering & Architecture

- [Cryptographic Encoding Conversions](https://awesome-repositories.com/f/software-engineering-architecture/data-encoders-and-decoders/multi-format/cryptographic-encoding-conversions.md) — Provides utilities to transform cryptographic data between DER, PEM, and JSON formats for system interoperability.
