cli
Step CLI is a command-line tool for managing X.509 certificates, JWT/JOSE tokens, SSH certificates, and OAuth workflows. It works standalone or with step-ca (an online CA server) to automate PKI and cryptographic operations across development, testing, and production environments.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | smallstep/cli |
| Owner | smallstep |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 4.3k |
| Forks | 306 |
| Open issues | 181 |
| Latest release | v0.30.6 (2026-06-10) |
| Last updated | 2026-07-07 |
| Source | https://github.com/smallstep/cli |
What cli is
Written in Go, Step CLI provides subcommands for certificate operations (create, sign, revoke, lint, validate), JOSE constructs (JWT/JWE/JWS), SSH key management, TOTP/OTP generation, OAuth 2.0 flows, and KMS integration. It supports ACME v2 for interop with standard CAs and includes a plugin architecture for extensibility.
Get the cli source
Clone the repository and explore it locally.
git clone https://github.com/smallstep/cli.gitcd cli# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Evaluate step-ca server requirements separately if moving beyond client-only use; CLI alone manages keys and tokens but does not issue certificates without a backing CA.
- Plan key storage and rotation strategy: step supports local files, KMS (HSM, YubiKey, macOS Keychain, cloud KMS via step-kms-plugin), and system integration points.
- Set up secure credential distribution and plugin configuration if using step-kms-plugin or custom plugins; plugin discovery uses $PATH and $STEPPATH/plugins.
- Test certificate deployment workflows (install, revoke, renewal) in non-production first; linting and validation are built-in but environment-specific trust store setup varies by OS.
- Define OAuth provider configuration and OIDC token verification policies if integrating SSO; Step CLI can consume providers but does not act as an OAuth server.
When to avoid it — and what to weigh
- No PKI/Cryptography Expertise — Step CLI assumes familiarity with X.509, JWTs, and cryptographic concepts. Teams without PKI knowledge may struggle with correct certificate configuration and key management.
- GUI-Only Operations Required — Step is CLI-only. Projects requiring web UI or graphical management interfaces for certificate lifecycle will need additional tools.
- Managed PKI Vendor Lock-in Preferred — If your organization mandates a proprietary PKI provider with specific compliance certifications, self-hosted or step-ca-based solutions may not align with vendor requirements.
- Large-Scale Multi-Tenant CA — Step CLI is client-side tooling; large-scale multi-tenant CA infrastructure requires step-ca server deployment, operational expertise, and separate evaluation.
License & commercial use
Apache License 2.0 (Apache-2.0). A permissive OSI-approved license permitting commercial use, modification, and distribution with attribution and liability disclaimers.
Apache-2.0 is a permissive open-source license that permits commercial use. You may use Step CLI in closed-source or proprietary applications, modify it, and redistribute it provided you include the original license, copyright notice, and any changes. Consult your legal team for compliance with your organization's policies. No commercial support or warranty is implied; community support is available via GitHub Discussions or Discord.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Step CLI manages private keys and sensitive cryptographic material; secure key storage depends on the environment (local disk, KMS, system keychain). No audit or third-party security assessment data provided. Consider: key access controls, KMS integration for high-sensitivity deployments, and certificate validation to prevent misconfiguration. Use current Go version to benefit from upstream security patches. Review trust store installation on client machines if using browser-integrated certificates.
Alternatives to consider
OpenSSL + certutil
Lower-level, widely available, but steeper learning curve and less workflow automation; no built-in JWT, OAuth, or SSH certificate support.
Vault (HashiCorp)
Full-featured secrets and PKI engine with web UI and API; heavier operational footprint and licensing considerations (MPL 2.0 for open-source, commercial options).
cfssl (CloudFlare)
Go-based, simpler CA toolkit for X.509 operations; lacks JWT/JOSE, OAuth, and SSH certificate features; smaller community and slower development pace.
Build on cli with DEV.co software developers
Step CLI is open-source and production-ready. Start with the installation docs at smallstep.com/docs/step-cli, or contact Devco for help integrating Step CLI and step-ca into your infrastructure.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
cli FAQ
Do I need step-ca to use Step CLI?
Can I use Step CLI to sign certificates without a CA server?
What key formats does Step CLI support?
Is Step CLI suitable for production certificate issuance?
Work with a software development agency
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If cli is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.
Ready to Automate Your PKI?
Step CLI is open-source and production-ready. Start with the installation docs at smallstep.com/docs/step-cli, or contact Devco for help integrating Step CLI and step-ca into your infrastructure.