DEV.co
Open-Source Security · smallstep

cli

Step CLI is a command-line tool for managing X.509 certificates, JWT/JOSE tokens, SSH certificates, and OAuth workflows. It works standalone or with step-ca (an online CA server) to automate PKI and cryptographic operations across development, testing, and production environments.

Source: GitHub — github.com/smallstep/cli
4.3k
GitHub stars
306
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorysmallstep/cli
Ownersmallstep
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars4.3k
Forks306
Open issues181
Latest releasev0.30.6 (2026-06-10)
Last updated2026-07-07
Sourcehttps://github.com/smallstep/cli

What cli is

Written in Go, Step CLI provides subcommands for certificate operations (create, sign, revoke, lint, validate), JOSE constructs (JWT/JWE/JWS), SSH key management, TOTP/OTP generation, OAuth 2.0 flows, and KMS integration. It supports ACME v2 for interop with standard CAs and includes a plugin architecture for extensibility.

Quickstart

Get the cli source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/smallstep/cli.gitcd cli# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Development PKI Automation

Generate self-signed or CA-signed X.509 certificates for local development, install them in system/browser trust stores, and validate deployment without manual certificate management.

Zero-Trust Infrastructure

Automate SSH certificate provisioning, short-lived credential distribution, and mTLS certificate lifecycle in containerized or microservice deployments using step-ca as a backing authority.

OAuth/OIDC Integration

Integrate OAuth 2.0 and OIDC flows into CLI applications, verify JWT tokens, and manage single sign-on workflows across tools and services.

Implementation considerations

  • Evaluate step-ca server requirements separately if moving beyond client-only use; CLI alone manages keys and tokens but does not issue certificates without a backing CA.
  • Plan key storage and rotation strategy: step supports local files, KMS (HSM, YubiKey, macOS Keychain, cloud KMS via step-kms-plugin), and system integration points.
  • Set up secure credential distribution and plugin configuration if using step-kms-plugin or custom plugins; plugin discovery uses $PATH and $STEPPATH/plugins.
  • Test certificate deployment workflows (install, revoke, renewal) in non-production first; linting and validation are built-in but environment-specific trust store setup varies by OS.
  • Define OAuth provider configuration and OIDC token verification policies if integrating SSO; Step CLI can consume providers but does not act as an OAuth server.

When to avoid it — and what to weigh

  • No PKI/Cryptography Expertise — Step CLI assumes familiarity with X.509, JWTs, and cryptographic concepts. Teams without PKI knowledge may struggle with correct certificate configuration and key management.
  • GUI-Only Operations Required — Step is CLI-only. Projects requiring web UI or graphical management interfaces for certificate lifecycle will need additional tools.
  • Managed PKI Vendor Lock-in Preferred — If your organization mandates a proprietary PKI provider with specific compliance certifications, self-hosted or step-ca-based solutions may not align with vendor requirements.
  • Large-Scale Multi-Tenant CA — Step CLI is client-side tooling; large-scale multi-tenant CA infrastructure requires step-ca server deployment, operational expertise, and separate evaluation.

License & commercial use

Apache License 2.0 (Apache-2.0). A permissive OSI-approved license permitting commercial use, modification, and distribution with attribution and liability disclaimers.

Apache-2.0 is a permissive open-source license that permits commercial use. You may use Step CLI in closed-source or proprietary applications, modify it, and redistribute it provided you include the original license, copyright notice, and any changes. Consult your legal team for compliance with your organization's policies. No commercial support or warranty is implied; community support is available via GitHub Discussions or Discord.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Step CLI manages private keys and sensitive cryptographic material; secure key storage depends on the environment (local disk, KMS, system keychain). No audit or third-party security assessment data provided. Consider: key access controls, KMS integration for high-sensitivity deployments, and certificate validation to prevent misconfiguration. Use current Go version to benefit from upstream security patches. Review trust store installation on client machines if using browser-integrated certificates.

Alternatives to consider

OpenSSL + certutil

Lower-level, widely available, but steeper learning curve and less workflow automation; no built-in JWT, OAuth, or SSH certificate support.

Vault (HashiCorp)

Full-featured secrets and PKI engine with web UI and API; heavier operational footprint and licensing considerations (MPL 2.0 for open-source, commercial options).

cfssl (CloudFlare)

Go-based, simpler CA toolkit for X.509 operations; lacks JWT/JOSE, OAuth, and SSH certificate features; smaller community and slower development pace.

Software development agency

Build on cli with DEV.co software developers

Step CLI is open-source and production-ready. Start with the installation docs at smallstep.com/docs/step-cli, or contact Devco for help integrating Step CLI and step-ca into your infrastructure.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

cli FAQ

Do I need step-ca to use Step CLI?
No. Step CLI works standalone for certificate creation, inspection, signing, and validation. step-ca is only required if you want an online CA to issue certificates; Step CLI can also work with any ACME v2-compliant CA (e.g., Let's Encrypt).
Can I use Step CLI to sign certificates without a CA server?
Yes. You can create root and intermediate CA certificates locally and use Step CLI to sign CSRs offline. This is suitable for development and testing but requires manual key management.
What key formats does Step CLI support?
RSA, ECDSA (P-256, P-384, P-521), and EdDSA. Keys can be stored locally (encrypted or unencrypted), in system keystores (macOS Keychain), or in cloud/HSM KMS via step-kms-plugin.
Is Step CLI suitable for production certificate issuance?
Step CLI alone is a client tool. Production issuance requires step-ca server deployment with proper operational controls (HA, backups, audit logging). Step CLI is used to interact with step-ca or other ACME CAs in production workflows.

Work with a software development agency

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If cli is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.

Ready to Automate Your PKI?

Step CLI is open-source and production-ready. Start with the installation docs at smallstep.com/docs/step-cli, or contact Devco for help integrating Step CLI and step-ca into your infrastructure.