Step
@whitemars/stepv2026.07.13.2
01README
Manage the X.509 certificate lifecycle (issue, renew, revoke, inspect) against a Smallstep step-ca certificate authority over the network — CA-agnostic, works with any reachable local or remote step-ca via its root fingerprint. Secondarily includes an optional model to stand up and tear down a local step-ca instance in Docker for development.
02Models
@whitemars/step/cav2026.07.13.2step/ca.ts
Global Arguments
| Argument | Type | Description |
|---|---|---|
| caName | string | Human-readable CA name; becomes the issuer/subject of the root. Sets DOCKER_STEPCA_INIT_NAME. |
| dnsNames | array | DNS names / IPs the CA answers on (SANs on the CA cert). The first entry is used to build the client-facing CA URL. Sets DOCKER_STEPCA_INIT_DNS_NAMES. |
| provisionerPassword | string | Password protecting the provisioner and CA keys. Required for a non-interactive detached boot; persisted into the volume on first init. Supply via ${{ vault.get(...) }}. Sets DOCKER_STEPCA_INIT_PASSWORD. |
| provisionerName | string | Name of the initial JWK provisioner. Sets DOCKER_STEPCA_INIT_PROVISIONER_NAME. |
| port | number | Host port published to the container's internal 9000. |
| address | string | Address step-ca listens on inside the container. Sets DOCKER_STEPCA_INIT_ADDRESS. |
| image | string | Docker image, optionally tag-pinned (e.g. smallstep/step-ca:0.28.1). |
| containerName | string | Name of the docker container. |
| volume | string | Docker named volume mounted at /home/step (holds CA config, keys, and certs). |
| remoteManagement | boolean | Enable step-ca's admin/remote provisioner management API on init. Sets DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT. |
| acme | boolean | Add an ACME provisioner on init. Sets DOCKER_STEPCA_INIT_ACME. |
| ssh | boolean | Enable the SSH CA on init. Sets DOCKER_STEPCA_INIT_SSH. |
| dockerBinary | string | Docker CLI executable to invoke. |
fn up()
Ensure the step-ca container is running. Creates and auto-initializes a fresh CA on first run (empty volume), starts a stopped container otherwise. Idempotent.
fn status()
Report the state of the step-ca container and CA health (existence, running state, root fingerprint, /health).
fn down()
Stop and remove the step-ca container. The named volume (CA config, keys, certs) is preserved so a later `up` resumes the same CA.
Resources
ca(infinite)— The running step-ca instance and its root fingerprint
status(7d)— Observed state of the step-ca container
@whitemars/step/certv2026.07.13.2step/cert.ts
Global Arguments
| Argument | Type | Description |
|---|---|---|
| caUrl | string | CA URL as reachable from the ephemeral step-cli container. For the local @whitemars/step/ca container, keep the default and share its network via `network`. |
| rootFingerprint | string | Root CA fingerprint used to bootstrap trust (required for issue/renew/revoke). Wire from data.latest("<ca-model>", "ca").attributes.rootFingerprint. |
| provisionerName | string | JWK provisioner used to authorize issuance. |
| provisionerPassword | string | Provisioner password (required for issue). Supply via ${{ vault.get(...) }}. |
| stepImage | string | Docker image providing the `step` CLI (optionally tag-pinned). |
| network | string | Docker `--network` for CA-contacting runs. `container:<name>` shares the local CA container's network so `localhost` resolves and TLS SANs match. Set empty for a remote CA reachable on the default bridge. |
| dockerBinary | string | Docker CLI executable to invoke. |
fn issue(subject: string)
Issue a new leaf certificate from the CA over the network. The subject is added as a SAN when extra SANs are given. Stores the certificate and its (vaulted) private key under the subject.
| Argument | Type | Description |
|---|---|---|
| subject | string | Certificate subject (common name). |
fn renew(subject: string)
Renew a previously issued certificate (same key, extended validity) via mTLS. Reads the stored cert/key, renews against the CA, and updates the stored record.
| Argument | Type | Description |
|---|---|---|
| subject | string | Certificate subject (common name). |
fn revoke(subject: string)
Revoke a previously issued certificate via mTLS. Marks the stored record revoked; the certificate can no longer be renewed.
| Argument | Type | Description |
|---|---|---|
| subject | string | Certificate subject (common name). |
fn inspect(subject: string)
Inspect a stored certificate: validity window, expiry countdown, serial, and fingerprint. Purely local — does not contact the CA.
| Argument | Type | Description |
|---|---|---|
| subject | string | Certificate subject (common name). |
Resources
cert(infinite)— An issued leaf certificate and its private key
inspection(30d)— Inspection result for a stored certificate
03Stats
A
100 / 100
Downloads
0
Archive size
26.0 KB
- Has README or module doc2/2earned
- README has a code example1/1earned
- README is substantive1/1earned
- Most symbols documented1/1earned
- No slow types (deprecated)1/1earned
- Dependencies pass trust audit2/2earned
- Has description1/1earned
- Platform support declared (or universal)2/2earned
- License declared1/1earned
- Verified public repository2/2earned
04Platforms
05Labels