Skip to content

Commit 053cfe0

Browse files
tashianclaude
tashian
and
claude
committed
Simplify KMS examples to use auto-detection
Update cryptographic-protection.mdx examples to show the simplified syntax where KMS URIs can be used directly without the --kms flag. The step CLI now auto-detects KMS URIs by their scheme prefix (cloudkms:, awskms:, yubikey:, tpmkms:, pkcs11:), so the --kms flag is optional in many cases. Related: smallstep/cli#1560 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1 parent 221d593 commit 053cfe0

1 file changed

Lines changed: 8 additions & 16 deletions

File tree

step-ca/cryptographic-protection.mdx

Lines changed: 8 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
title: Cryptographic Protection
33
html_title: Secure Cryptographic Key Protection Methods
44
description: Secure private keys in step-ca deployments. Hardware security modules, key management, and cryptographic best practices for enterprise PKI.
5-
updated_at: September 17, 2025
5+
updated_at: February 02, 2026
66
---
77

88
By default, `step-ca` stores its signing keys encrypted on disk.
@@ -74,8 +74,7 @@ Now, let's sign a root CA certificate based on the the key you just created. Sub
7474

7575
```shell nocopy
7676
$ step certificate create --profile root-ca \
77-
--kms 'cloudkms:' \
78-
--key 'projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/root/cryptoKeyVersions/1' \
77+
--key 'cloudkms:projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/root/cryptoKeyVersions/1' \
7978
"Smallstep Root CA" root_ca.crt
8079
```
8180

@@ -91,11 +90,10 @@ Great. Next, repeat the process for the Intermediate CA:
9190
$ step kms create --json --kms 'cloudkms:' \
9291
'projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/intermediate'
9392
$ step certificate create --profile intermediate-ca \
94-
--kms 'cloudkms:' \
9593
--ca-kms 'cloudkms:' \
9694
--ca root_ca.crt \
9795
--ca-key 'projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/root/cryptoKeyVersions/1' \
98-
--key 'projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/intermediate/cryptoKeyVersions/1' \
96+
--key 'cloudkms:projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/intermediate/cryptoKeyVersions/1' \
9997
"Smallstep Intermediate CA" intermediate_ca.crt
10098
```
10199

@@ -230,8 +228,7 @@ Now, let's sign a root CA certificate based on the the key you just created. Sub
230228

231229
```shell nocopy
232230
$ step certificate create --profile root-ca \
233-
--kms 'awskms:region=us-east-2' \
234-
--key 'awskms:key-id=78980acd-a42d-4d84-97ba-1e50d3082214' \
231+
--key 'awskms:region=us-east-2;key-id=78980acd-a42d-4d84-97ba-1e50d3082214' \
235232
"Smallstep Root CA" root_ca.crt
236233
```
237234

@@ -246,11 +243,10 @@ Great. Next, we'll repeat the process for the Intermediate CA:
246243
```shell nocopy
247244
$ step kms create --json --kms 'awskms:region=us-east-2' intermediate-ca
248245
$ step certificate create --profile intermediate-ca \
249-
--kms 'awskms:region=us-east-2' \
250246
--ca-kms 'awskms:region=us-east-2' \
251247
--ca root_ca.crt \
252248
--ca-key 'awskms:key-id=78980acd-a42d-4d84-97ba-1e50d3082214' \
253-
--key 'awskms:key-id=9432458d-1e67-4a74-9a23-8f94708b45fe' \
249+
--key 'awskms:region=us-east-2;key-id=9432458d-1e67-4a74-9a23-8f94708b45fe' \
254250
"Smallstep Intermediate CA" intermediate_ca.crt
255251
```
256252

@@ -483,7 +479,7 @@ Now, let's sign a root CA certificate based on the the key you just created. Sub
483479

484480
```shell nocopy
485481
$ step certificate create --profile root-ca \
486-
--kms "$PKCS_URI"
482+
--kms "$PKCS_URI" \
487483
--key "pkcs11:id=7331;object=root-ca" \
488484
"Smallstep Root CA" root_ca.crt
489485
```
@@ -499,7 +495,6 @@ Great. Next, we'll repeat the process for the Intermediate CA:
499495
```shell nocopy
500496
$ step kms create --json --kms "$PKCS_URI" "pkcs11:id=7332;object=intermediate-ca"
501497
$ step certificate create --profile intermediate-ca \
502-
--kms "$PKCS_URI" \
503498
--ca-kms "$PKCS_URI" \
504499
--ca root_ca.crt \
505500
--ca-key "pkcs11:id=7331;object=root-ca" \
@@ -626,7 +621,6 @@ and sign an Intermediate CA certificate:
626621
```shell nocopy
627622
$ step kms create --json 'tpmkms:name=my-intermediate-ca'
628623
$ step certificate create --profile intermediate-ca \
629-
--kms 'tpmkms:' \
630624
--ca root_ca.crt \
631625
--ca-key root_ca.key \
632626
--key 'tpmkms:name=my-intermediate-ca' \
@@ -725,8 +719,7 @@ Now, let's sign a root CA certificate based on the the key you just created. Sub
725719

726720
```shell nocopy
727721
$ step certificate create --profile root-ca \
728-
--kms 'yubikey:pin-value=123456' \
729-
--key 'yubikey:slot-id=82' \
722+
--key 'yubikey:slot-id=82?pin-value=123456' \
730723
"Smallstep Root CA" root_ca.crt
731724
```
732725

@@ -743,11 +736,10 @@ Great. Next, we'll repeat the process for the Intermediate CA:
743736
```shell nocopy
744737
$ step kms create --json 'yubikey:slot-id=83'
745738
$ step certificate create --profile intermediate-ca \
746-
--kms 'yubikey:pin-value=123456' \
747739
--ca-kms 'yubikey:pin-value=123456' \
748740
--ca root_ca.crt \
749741
--ca-key 'yubikey:slot-id=82' \
750-
--key 'yubikey:slot-id=83' \
742+
--key 'yubikey:slot-id=83?pin-value=123456' \
751743
"Smallstep Intermediate CA" intermediate_ca.crt
752744
```
753745

0 commit comments

Comments
 (0)