Skip to main content

Step

@whitemars/stepv2026.07.13.2· 1d agoMODELS
01README

Manage the X.509 certificate lifecycle (issue, renew, revoke, inspect) against a Smallstep step-ca certificate authority over the network — CA-agnostic, works with any reachable local or remote step-ca via its root fingerprint. Secondarily includes an optional model to stand up and tear down a local step-ca instance in Docker for development.

02Models2
@whitemars/step/cav2026.07.13.2step/ca.ts

Global Arguments

ArgumentTypeDescription
caNamestringHuman-readable CA name; becomes the issuer/subject of the root. Sets DOCKER_STEPCA_INIT_NAME.
dnsNamesarrayDNS names / IPs the CA answers on (SANs on the CA cert). The first entry is used to build the client-facing CA URL. Sets DOCKER_STEPCA_INIT_DNS_NAMES.
provisionerPasswordstringPassword protecting the provisioner and CA keys. Required for a non-interactive detached boot; persisted into the volume on first init. Supply via ${{ vault.get(...) }}. Sets DOCKER_STEPCA_INIT_PASSWORD.
provisionerNamestringName of the initial JWK provisioner. Sets DOCKER_STEPCA_INIT_PROVISIONER_NAME.
portnumberHost port published to the container's internal 9000.
addressstringAddress step-ca listens on inside the container. Sets DOCKER_STEPCA_INIT_ADDRESS.
imagestringDocker image, optionally tag-pinned (e.g. smallstep/step-ca:0.28.1).
containerNamestringName of the docker container.
volumestringDocker named volume mounted at /home/step (holds CA config, keys, and certs).
remoteManagementbooleanEnable step-ca's admin/remote provisioner management API on init. Sets DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT.
acmebooleanAdd an ACME provisioner on init. Sets DOCKER_STEPCA_INIT_ACME.
sshbooleanEnable the SSH CA on init. Sets DOCKER_STEPCA_INIT_SSH.
dockerBinarystringDocker CLI executable to invoke.
fn up()
Ensure the step-ca container is running. Creates and auto-initializes a fresh CA on first run (empty volume), starts a stopped container otherwise. Idempotent.
fn status()
Report the state of the step-ca container and CA health (existence, running state, root fingerprint, /health).
fn down()
Stop and remove the step-ca container. The named volume (CA config, keys, certs) is preserved so a later `up` resumes the same CA.

Resources

ca(infinite)— The running step-ca instance and its root fingerprint
status(7d)— Observed state of the step-ca container
@whitemars/step/certv2026.07.13.2step/cert.ts

Global Arguments

ArgumentTypeDescription
caUrlstringCA URL as reachable from the ephemeral step-cli container. For the local @whitemars/step/ca container, keep the default and share its network via `network`.
rootFingerprintstringRoot CA fingerprint used to bootstrap trust (required for issue/renew/revoke). Wire from data.latest("<ca-model>", "ca").attributes.rootFingerprint.
provisionerNamestringJWK provisioner used to authorize issuance.
provisionerPasswordstringProvisioner password (required for issue). Supply via ${{ vault.get(...) }}.
stepImagestringDocker image providing the `step` CLI (optionally tag-pinned).
networkstringDocker `--network` for CA-contacting runs. `container:<name>` shares the local CA container's network so `localhost` resolves and TLS SANs match. Set empty for a remote CA reachable on the default bridge.
dockerBinarystringDocker CLI executable to invoke.
fn issue(subject: string)
Issue a new leaf certificate from the CA over the network. The subject is added as a SAN when extra SANs are given. Stores the certificate and its (vaulted) private key under the subject.
ArgumentTypeDescription
subjectstringCertificate subject (common name).
fn renew(subject: string)
Renew a previously issued certificate (same key, extended validity) via mTLS. Reads the stored cert/key, renews against the CA, and updates the stored record.
ArgumentTypeDescription
subjectstringCertificate subject (common name).
fn revoke(subject: string)
Revoke a previously issued certificate via mTLS. Marks the stored record revoked; the certificate can no longer be renewed.
ArgumentTypeDescription
subjectstringCertificate subject (common name).
fn inspect(subject: string)
Inspect a stored certificate: validity window, expiry countdown, serial, and fingerprint. Purely local — does not contact the CA.
ArgumentTypeDescription
subjectstringCertificate subject (common name).

Resources

cert(infinite)— An issued leaf certificate and its private key
inspection(30d)— Inspection result for a stored certificate
03Stats
A
100 / 100
Downloads
0
Archive size
26.0 KB
  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types (deprecated)1/1earned
  • Dependencies pass trust audit2/2earned
  • Has description1/1earned
  • Platform support declared (or universal)2/2earned
  • License declared1/1earned
  • Verified public repository2/2earned
04Platforms
05Labels