step crypto keypair
step crypto keypair -- generate a public / private keypair in PEM format
step crypto keypair <pub_file> <priv_file>
[--kty=<key-type>] [--curve=<curve>] [--size=<size>]
[--password-file=<file>] [--no-password] [--insecure]
step crypto keypair generates a raw public / private keypair in PEM format. These keys can be used by other operations to sign and encrypt data, and the public key can be bound to an identity in a CSR and signed by a CA to produce a certificate.
Private keys are encrypted using a password. You'll be prompted for this password automatically when the key is used.
The path to write the public key.
The path to write the private key.
The kty
to build the certificate upon.
If unset, default is EC.
is a case-sensitive string and must be one of:
EC: Create an elliptic curve keypair
OKP: Create an octet key pair (for "Ed25519" curve)
RSA: Create an RSA keypair
The size
(in bits) of the key for RSA and oct key types. RSA keys require a
minimum key size of 2048 bits. If unset, default is 2048 bits for RSA keys and 128 bits for oct keys.
, --curve=curve
The elliptic curve
to use for EC and OKP key types. Corresponds
to the "crv" JWK parameter. Valid curves are defined in JWA [RFC7518]. If
unset, default is P-256 for EC keys and Ed25519 for OKP keys.
is a case-sensitive string and must be one of:
P-256: NIST P-256 Curve
P-384: NIST P-384 Curve
P-521: NIST P-521 Curve
Ed25519: Ed25519 Curve
Create a PEM representing the key encoded in an
existing jwk-file
instead of creating a new key.
The path to the file
containing the password to encrypt or decrypt the private key.
--no-password Do not ask for a password to encrypt a private key. Sensitive key material will be written to disk unencrypted. This is not recommended. Requires --insecure flag.
-f, --force Force the overwrite of files without asking.
This command returns 0 on success and >0 if any error occurs.
Create an RSA public / private key pair with 4096 bits:
$ step crypto keypair foo.key --kty RSA --size 4096
Create an RSA public / private key with fewer than the recommended number of bits (recommended `= 2048 bits):
$ step crypto keypair foo.key --kty RSA --size 1024 --insecure
Create an EC public / private key pair with curve P-521:
$ step crypto keypair foo.key --kty EC --curve "P-521"
Create an EC public / private key pair but do not encrypt the private key file:
$ step crypto keypair foo.key --kty EC --curve "P-256" \
--no-password --insecure
Create an Octet Key Pair with curve Ed25519:
$ step crypto keypair foo.key --kty OKP --curve Ed25519