step-cli v0.30.0 reference update

Author: step-ci

manifest.json

@@ -65,9 +65,9 @@ print the version
 
 ## Version
 
-Smallstep CLI/0.29.0 (linux/amd64)
+Smallstep CLI/0.30.0 (linux/amd64)
 
 ## Copyright
 
-(c) 2018-2025 Smallstep Labs, Inc.
+(c) 2018-2026 Smallstep Labs, Inc.
 

step-cli/reference/README.mdx

@@ -152,7 +152,35 @@ The path to the `file` containing the password to encrypt or decrypt the private
 Complete the flow while remaining inside the terminal.
 
 **--kms**=`uri`
-The `uri` to configure a Cloud KMS or an HSM.
+The `uri` to configure a (cloud) KMS or an HSM.
+`uri` is formatted as **kmstype:[key=value;...]?[key=value&...]**. The **;**-separated
+parameters identify the KMS, and **&**-separated parameters contain credentials and additional configuration for those credentials.
+
+Supported KMS types:
+
+- **YubiKey PIV**: Use **yubikey:** URIs. Parameters: **serial**, **pin-value**, **pin-source**, **management-key**, **management-key-source**.
+
+- **PKCS #11**: Use **pkcs11:** URIs. Parameters: **module-path**, **token**, **id**, **object**, **pin-value**, **pin-source**.
+
+- **TPM 2.0**: Use **tpmkms:** URIs. Parameters: **name**, **device**, **attestation-ca-url**.
+
+- **Google Cloud KMS**: Use **cloudkms:** URIs. Parameters: **credentials-file**.
+
+- **AWS KMS**: Use **awskms:** URIs. Parameters: **region**, **profile**, **credentials-file**.
+
+- **Azure Key Vault**: Use **azurekms:** URIs. Parameters: **tenant-id**, **client-id**, **client-secret**, **client-certificate-file**.
+
+Examples:
+
+```shell
+yubikey:pin-value=123456
+pkcs11:module-path=/usr/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=pass
+tpmkms:name=my-key;device=/dev/tpmrm0
+awskms:region=us-east-1
+azurekms:client-id=fooo;client-secret=bar;tenant-id=9de53416-4431-4181-7a8b-23af3EXAMPLE
+```
+
+    For more information, see https://smallstep.com/docs/step-ca/cryptographic-protection/.
 
 **--x5c-cert**=`chain`
 Certificate (`chain`) in PEM format to store in the 'x5c' header of a JWT.
@@ -263,6 +291,13 @@ Request a new certificate with an X5C provisioner:
 $ step ca certificate foo.internal foo.crt foo.key --x5c-cert x5c.cert --x5c-key x5c.key
 ```
 
+Request a new certificate with an X5C provisioner using a certificate and private key stored on a YubiKey:
+```shell
+$ step ca certificate joe@example.com joe.crt joe.key \
+  --x5c-cert yubikey:slot-id=9a \
+  --x5c-key 'yubikey:slot-id=9a?pin=value=123456'
+```
+
 **Certificate Templates** - With a provisioner configured with a custom
 template we can use the **--set** flag to pass user variables:
 ```shell

step-cli/reference/ca/certificate/README.mdx

@@ -107,7 +107,35 @@ each with optional fraction and a unit suffix, such as "300ms", "1.5h", or "2h45
 Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
 
 **--kms**=`uri`
-The `uri` to configure a Cloud KMS or an HSM.
+The `uri` to configure a (cloud) KMS or an HSM.
+`uri` is formatted as **kmstype:[key=value;...]?[key=value&...]**. The **;**-separated
+parameters identify the KMS, and **&**-separated parameters contain credentials and additional configuration for those credentials.
+
+Supported KMS types:
+
+- **YubiKey PIV**: Use **yubikey:** URIs. Parameters: **serial**, **pin-value**, **pin-source**, **management-key**, **management-key-source**.
+
+- **PKCS #11**: Use **pkcs11:** URIs. Parameters: **module-path**, **token**, **id**, **object**, **pin-value**, **pin-source**.
+
+- **TPM 2.0**: Use **tpmkms:** URIs. Parameters: **name**, **device**, **attestation-ca-url**.
+
+- **Google Cloud KMS**: Use **cloudkms:** URIs. Parameters: **credentials-file**.
+
+- **AWS KMS**: Use **awskms:** URIs. Parameters: **region**, **profile**, **credentials-file**.
+
+- **Azure Key Vault**: Use **azurekms:** URIs. Parameters: **tenant-id**, **client-id**, **client-secret**, **client-certificate-file**.
+
+Examples:
+
+```shell
+yubikey:pin-value=123456
+pkcs11:module-path=/usr/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=pass
+tpmkms:name=my-key;device=/dev/tpmrm0
+awskms:region=us-east-1
+azurekms:client-id=fooo;client-secret=bar;tenant-id=9de53416-4431-4181-7a8b-23af3EXAMPLE
+```
+
+    For more information, see https://smallstep.com/docs/step-ca/cryptographic-protection/.
 
 **--kty**=`kty`
 The `kty` to build the certificate upon.
@@ -179,12 +207,22 @@ Rekey a certificate forcing the overwrite of the previous certificate and key
 $ step ca rekey --force internal.crt internal.key
 ```
 
-Rekey a certificate which key is in a KMS, with another from the same KMS:
+Rekey a certificate using a KMS, with another from the same KMS:
+```shell
+$ step ca rekey --private-key 'yubikey:slot-id=9a?pin-value=123456' \
+  yubikey.crt 'yubikey:slot-id=82?pin-value=123456'
+```
+
+Rekey a certificate using a KMS with the `--kms` flag:
 ```shell
 $ step ca rekey \
   --kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \
-  --private-key 'pkcs11:id=4002'
-  pkcs11.crt 'pkcs11:id=4001'
+  --private-key 'pkcs11:id=4002' pkcs11.crt 'pkcs11:id=4001'
+```
+
+```shell
+$ step ca rekey --key yubikey:pin-value=123456 --private-key yubikey:slot-id=9a \
+  yubikey.crt 'yubikey:slot-id=82
 ```
 
 Rekey a certificate providing the `--ca-url` and `--root` flags:

step-cli/reference/ca/rekey/README.mdx

@@ -77,7 +77,35 @@ but can accept a different configuration file using **--ca-config** flag.
 The path to the `file` containing the password to encrypt or decrypt the private key.
 
 **--kms**=`uri`
-The `uri` to configure a Cloud KMS or an HSM.
+The `uri` to configure a (cloud) KMS or an HSM.
+`uri` is formatted as **kmstype:[key=value;...]?[key=value&...]**. The **;**-separated
+parameters identify the KMS, and **&**-separated parameters contain credentials and additional configuration for those credentials.
+
+Supported KMS types:
+
+- **YubiKey PIV**: Use **yubikey:** URIs. Parameters: **serial**, **pin-value**, **pin-source**, **management-key**, **management-key-source**.
+
+- **PKCS #11**: Use **pkcs11:** URIs. Parameters: **module-path**, **token**, **id**, **object**, **pin-value**, **pin-source**.
+
+- **TPM 2.0**: Use **tpmkms:** URIs. Parameters: **name**, **device**, **attestation-ca-url**.
+
+- **Google Cloud KMS**: Use **cloudkms:** URIs. Parameters: **credentials-file**.
+
+- **AWS KMS**: Use **awskms:** URIs. Parameters: **region**, **profile**, **credentials-file**.
+
+- **Azure Key Vault**: Use **azurekms:** URIs. Parameters: **tenant-id**, **client-id**, **client-secret**, **client-certificate-file**.
+
+Examples:
+
+```shell
+yubikey:pin-value=123456
+pkcs11:module-path=/usr/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=pass
+tpmkms:name=my-key;device=/dev/tpmrm0
+awskms:region=us-east-1
+azurekms:client-id=fooo;client-secret=bar;tenant-id=9de53416-4431-4181-7a8b-23af3EXAMPLE
+```
+
+    For more information, see https://smallstep.com/docs/step-ca/cryptographic-protection/.
 
 **--out**=`file`, **--output-file**=`file`
 The new certificate `file` path. Defaults to overwriting the `crt-file` positional argument
@@ -154,6 +182,11 @@ $ step ca renew --mtls=false --force internal.crt internal.key
 
 Renew a certificate which key is in a KMS:
 ```shell
+$ step ca renew yubikey.crt 'yubikey:slot-id=9a?pin-value=123456'
+```
+
+Renew a certificate which key is in a KMS, using the `--kms` flag:
+```shell
 $ step ca renew \
   --kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \
   pkcs11.crt 'pkcs11:id=4001'

step-cli/reference/ca/renew/README.mdx

@@ -85,7 +85,35 @@ The path to the `file` containing the password to encrypt or decrypt the private
 Complete the flow while remaining inside the terminal.
 
 **--kms**=`uri`
-The `uri` to configure a Cloud KMS or an HSM.
+The `uri` to configure a (cloud) KMS or an HSM.
+`uri` is formatted as **kmstype:[key=value;...]?[key=value&...]**. The **;**-separated
+parameters identify the KMS, and **&**-separated parameters contain credentials and additional configuration for those credentials.
+
+Supported KMS types:
+
+- **YubiKey PIV**: Use **yubikey:** URIs. Parameters: **serial**, **pin-value**, **pin-source**, **management-key**, **management-key-source**.
+
+- **PKCS #11**: Use **pkcs11:** URIs. Parameters: **module-path**, **token**, **id**, **object**, **pin-value**, **pin-source**.
+
+- **TPM 2.0**: Use **tpmkms:** URIs. Parameters: **name**, **device**, **attestation-ca-url**.
+
+- **Google Cloud KMS**: Use **cloudkms:** URIs. Parameters: **credentials-file**.
+
+- **AWS KMS**: Use **awskms:** URIs. Parameters: **region**, **profile**, **credentials-file**.
+
+- **Azure Key Vault**: Use **azurekms:** URIs. Parameters: **tenant-id**, **client-id**, **client-secret**, **client-certificate-file**.
+
+Examples:
+
+```shell
+yubikey:pin-value=123456
+pkcs11:module-path=/usr/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=pass
+tpmkms:name=my-key;device=/dev/tpmrm0
+awskms:region=us-east-1
+azurekms:client-id=fooo;client-secret=bar;tenant-id=9de53416-4431-4181-7a8b-23af3EXAMPLE
+```
+
+    For more information, see https://smallstep.com/docs/step-ca/cryptographic-protection/.
 
 **--x5c-cert**=`chain`
 Certificate (`chain`) in PEM format to store in the 'x5c' header of a JWT.

step-cli/reference/ca/sign/README.mdx

@@ -107,7 +107,35 @@ The path to the `file` containing the password to decrypt the one-time token
 generating key.
 
 **--kms**=`uri`
-The `uri` to configure a Cloud KMS or an HSM.
+The `uri` to configure a (cloud) KMS or an HSM.
+`uri` is formatted as **kmstype:[key=value;...]?[key=value&...]**. The **;**-separated
+parameters identify the KMS, and **&**-separated parameters contain credentials and additional configuration for those credentials.
+
+Supported KMS types:
+
+- **YubiKey PIV**: Use **yubikey:** URIs. Parameters: **serial**, **pin-value**, **pin-source**, **management-key**, **management-key-source**.
+
+- **PKCS #11**: Use **pkcs11:** URIs. Parameters: **module-path**, **token**, **id**, **object**, **pin-value**, **pin-source**.
+
+- **TPM 2.0**: Use **tpmkms:** URIs. Parameters: **name**, **device**, **attestation-ca-url**.
+
+- **Google Cloud KMS**: Use **cloudkms:** URIs. Parameters: **credentials-file**.
+
+- **AWS KMS**: Use **awskms:** URIs. Parameters: **region**, **profile**, **credentials-file**.
+
+- **Azure Key Vault**: Use **azurekms:** URIs. Parameters: **tenant-id**, **client-id**, **client-secret**, **client-certificate-file**.
+
+Examples:
+
+```shell
+yubikey:pin-value=123456
+pkcs11:module-path=/usr/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=pass
+tpmkms:name=my-key;device=/dev/tpmrm0
+awskms:region=us-east-1
+azurekms:client-id=fooo;client-secret=bar;tenant-id=9de53416-4431-4181-7a8b-23af3EXAMPLE
+```
+
+    For more information, see https://smallstep.com/docs/step-ca/cryptographic-protection/.
 
 **--x5c-cert**=`chain`
 Certificate (`chain`) in PEM format to store in the 'x5c' header of a JWT.
@@ -309,8 +337,9 @@ Generate an X5C provisioner token using a certificate in a YubiKey. Note that a
 YubiKey does not support storing a certificate bundle. To make it work, you must
 add the intermediate and the root in the provisioner configuration:
 ```shell
-$ step ca token --kms yubikey:pin-value=123456 \
-  --x5c-cert yubikey:slot-id=82 --x5c-key yubikey:slot-id=82 \
+$ step ca token \
+  --x5c-cert yubikey:slot-id=82 \
+  --x5c-key 'yubikey:slot-id=82?pin=value=123456' \
   internal.example.com
 ```
 

step-cli/reference/ca/token/README.mdx

@@ -140,7 +140,35 @@ The path to the `file` containing the password to
 decrypt the CA private key.
 
 **--kms**=`uri`
-The `uri` to configure a Cloud KMS or an HSM.
+The `uri` to configure a (cloud) KMS or an HSM.
+`uri` is formatted as **kmstype:[key=value;...]?[key=value&...]**. The **;**-separated
+parameters identify the KMS, and **&**-separated parameters contain credentials and additional configuration for those credentials.
+
+Supported KMS types:
+
+- **YubiKey PIV**: Use **yubikey:** URIs. Parameters: **serial**, **pin-value**, **pin-source**, **management-key**, **management-key-source**.
+
+- **PKCS #11**: Use **pkcs11:** URIs. Parameters: **module-path**, **token**, **id**, **object**, **pin-value**, **pin-source**.
+
+- **TPM 2.0**: Use **tpmkms:** URIs. Parameters: **name**, **device**, **attestation-ca-url**.
+
+- **Google Cloud KMS**: Use **cloudkms:** URIs. Parameters: **credentials-file**.
+
+- **AWS KMS**: Use **awskms:** URIs. Parameters: **region**, **profile**, **credentials-file**.
+
+- **Azure Key Vault**: Use **azurekms:** URIs. Parameters: **tenant-id**, **client-id**, **client-secret**, **client-certificate-file**.
+
+Examples:
+
+```shell
+yubikey:pin-value=123456
+pkcs11:module-path=/usr/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=pass
+tpmkms:name=my-key;device=/dev/tpmrm0
+awskms:region=us-east-1
+azurekms:client-id=fooo;client-secret=bar;tenant-id=9de53416-4431-4181-7a8b-23af3EXAMPLE
+```
+
+    For more information, see https://smallstep.com/docs/step-ca/cryptographic-protection/.
 
 **--key**=`file`
 The `file` of the private key to use instead of creating a new one (PEM file).
@@ -426,8 +454,18 @@ $ step certificate create --csr --template csr.tpl --san coyote@acme.corp \
   "Wile E. Coyote" coyote.csr coyote.key
 ```
 
+Create a CSR using `step-kms-plugin`:
+```shell
+$ step certificate create --csr --key 'yubikey:slot-id=9a?pin=value=123456' coyote@acme.corp coyote.csr
+```
+
 Create a root certificate using `step-kms-plugin`:
 ```shell
+$ step certificate create --profile root-ca --key 'yubikey:slot-id=9a?pin=value=123456' 'KMS Root' root_ca.crt
+```
+
+Create a root certificate using `step-kms-plugin` and the `--kms` flag:
+```shell
 $ step kms create \
   --kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \
   'pkcs11:id=4000;object=root-key'

step-cli/reference/certificate/create/README.mdx

@@ -84,7 +84,7 @@ $ step certificate needs-renewal ./certificate.crt --bundle
 ```
 
 Check if the leaf certificate provided by smallstep.com has passed 66 percent
-of its vlaidity period:
+of its validity period:
 ```shell
 $ step certificate needs-renewal https://smallstep.com
 ```

step-cli/reference/certificate/needs-renewal/README.mdx

@@ -41,7 +41,35 @@ The path to a private key for signing the CSR.
 
 
 **--kms**=`uri`
-The `uri` to configure a Cloud KMS or an HSM.
+The `uri` to configure a (cloud) KMS or an HSM.
+`uri` is formatted as **kmstype:[key=value;...]?[key=value&...]**. The **;**-separated
+parameters identify the KMS, and **&**-separated parameters contain credentials and additional configuration for those credentials.
+
+Supported KMS types:
+
+- **YubiKey PIV**: Use **yubikey:** URIs. Parameters: **serial**, **pin-value**, **pin-source**, **management-key**, **management-key-source**.
+
+- **PKCS #11**: Use **pkcs11:** URIs. Parameters: **module-path**, **token**, **id**, **object**, **pin-value**, **pin-source**.
+
+- **TPM 2.0**: Use **tpmkms:** URIs. Parameters: **name**, **device**, **attestation-ca-url**.
+
+- **Google Cloud KMS**: Use **cloudkms:** URIs. Parameters: **credentials-file**.
+
+- **AWS KMS**: Use **awskms:** URIs. Parameters: **region**, **profile**, **credentials-file**.
+
+- **Azure Key Vault**: Use **azurekms:** URIs. Parameters: **tenant-id**, **client-id**, **client-secret**, **client-certificate-file**.
+
+Examples:
+
+```shell
+yubikey:pin-value=123456
+pkcs11:module-path=/usr/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=pass
+tpmkms:name=my-key;device=/dev/tpmrm0
+awskms:region=us-east-1
+azurekms:client-id=fooo;client-secret=bar;tenant-id=9de53416-4431-4181-7a8b-23af3EXAMPLE
+```
+
+    For more information, see https://smallstep.com/docs/step-ca/cryptographic-protection/.
 
 **--profile**=`profile`
 The certificate profile sets various certificate details such as
@@ -196,4 +224,8 @@ $ step certificate sign \
   leaf.csr issuer.crt 'pkcs11:id=4001'
 ```
 
+Sign a CSR using a certificate and a key stored in a KMS:
+```shell
+$ step certificate sign leaf.csr yubikey-slot-id=9a 'yubikey-slot-id=9a?pin-value=123456'
+```