PKI CLI for operating step-ca, issuing and inspecting X.509 or SSH certificates, and running related crypto and OAuth workflows.
$brew install step
Agent Compatibility
JSON Output
Agent Skill
MCP Support
AI Analysis
step is Smallstep's PKI and certificate automation CLI. It works as both a client for step-ca or other ACME-compatible CAs and a local toolkit for inspecting certificates, issuing credentials, and handling adjacent crypto or OAuth tasks.
What It Enables
- Bootstrap trust, request or renew X.509 certificates, revoke them, and inspect local files or remote TLS chains for PKI automation.
- Generate SSH keys and short-lived SSH certificates, add them to the SSH agent, inspect them, and manage SSH login or renewal workflows.
- Handle supporting identity operations such as JWT, JWS, JWE, and JWK processing, OAuth or OIDC token acquisition, and CA context management.
Agent Fit
- Structured output exists where inspection matters most, including JSON modes for certificate inspection, SSH certificate inspection, JWS verification or inspection, and current context lookup.
- Most commands are flag-driven and scriptable, but unattended use often requires preloaded roots, tokens, password files, an SSH agent, or a configured CA context.
- It fits agents best in known PKI environments where issuance, renewal, and verification steps are already modeled; the CLI is less uniform than tools with one global JSON contract.
Caveats
- Many core workflows assume a reachable step-ca or compatible CA and the right provisioner or trust bootstrap already in place.
- OAuth and some enrollment paths can open a browser or fall back to prompts unless you choose console modes and non-interactive credential flags.