Skip to content

Add --token-file flag to step ca certificate #1625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ohhmkar wants to merge 2 commits into
base: master
Choose a base branch
from
+19 −2
Open

Add --token-file flag to step ca certificate #1625

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c3671ad
Add --token-file flag to step ca certificate
ohhmkar May 11, 2026
37ee56c
documentation fix for --token-file not being clearly stated as mutall…
ohhmkar May 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

### Added

- Add `--token-file` flag to `step ca certificate` to read the token from a file.
- Support for inspecting certificates with post-quantum algorithms ML-DSA and
SLH-DSA (smallstep/certinfo#69).

Expand Down
20 changes: 18 additions & 2 deletions command/ca/certificate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (

"github.com/smallstep/cli/flags"
"github.com/smallstep/cli/token"
"github.com/smallstep/cli/utils"
"github.com/smallstep/cli/utils/cautils"
)

Expand Down Expand Up @@ -182,6 +183,10 @@ multiple SANs. The '--san' flag and the '--token' flag are mutually exclusive.`,
Usage: "The directory where TPM keys and certificates will be stored",
Value: filepath.Join(step.Path(), "tpm"),
},
cli.StringFlag{
Name: "token-file",
Usage: "The path to a <file> containing the one time token. Mutually exclusive with '--token' and '--offline'; for JWK tokens it is effectively incompatible with '--san' because SANs are taken from the token.",
},
flags.TemplateSet,
flags.TemplateSetFile,
flags.CaConfig,
Expand Down Expand Up @@ -232,21 +237,32 @@ func certificateAction(ctx *cli.Context) error {
crtFile, keyFile := args.Get(1), args.Get(2)

tok := ctx.String("token")
tokenFile := ctx.String("token-file")
offline := ctx.Bool("offline")
sans := ctx.StringSlice("san")

switch {
case tok != "" && tokenFile != "":
return errs.IncompatibleFlagWithFlag(ctx, "token", "token-file")
case offline && tok != "":
// offline and token are incompatible because the token is generated before
// the start of the offline CA.
return errs.IncompatibleFlagWithFlag(ctx, "offline", "token")
case offline && tokenFile != "":
return errs.IncompatibleFlagWithFlag(ctx, "offline", "token-file")
Comment on lines 239 to +250
case ctx.String("attestation-uri") != "" && ctx.String("kms") != "":
// attestation-uri and kms are incompatible because the ACME-DA flow
// expects all necessary parameters in the attestation-uri, and having
// both can be confusing.
return errs.IncompatibleFlagWithFlag(ctx, "attestation-uri", "kms")
}

if tokenFile != "" {
b, err := utils.ReadFile(tokenFile)
if err != nil {
return err
}
tok = strings.TrimSpace(string(b))
}

// certificate flow unifies online and offline flows on a single api
flow, err := cautils.NewCertificateFlow(ctx)
if err != nil {
Expand Down