Simplify KMS examples to use auto-detection

Update cryptographic-protection.mdx examples to show the simplified
syntax where KMS URIs can be used directly without the --kms flag.

The step CLI now auto-detects KMS URIs by their scheme prefix (cloudkms:,
awskms:, yubikey:, tpmkms:, pkcs11:), so the --kms flag is optional in
many cases.

Related: smallstep/cli#1560

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: tashian

step-ca/cryptographic-protection.mdx

@@ -2,7 +2,7 @@
 title: Cryptographic Protection
 html_title: Secure Cryptographic Key Protection Methods
 description: Secure private keys in step-ca deployments. Hardware security modules, key management, and cryptographic best practices for enterprise PKI.
-updated_at: September 17, 2025
+updated_at: February 02, 2026
 ---
 
 By default, `step-ca` stores its signing keys encrypted on disk.
@@ -74,11 +74,12 @@ Now, let's sign a root CA certificate based on the the key you just created. Sub
 
 ```shell nocopy
 $ step certificate create --profile root-ca \
-   --kms 'cloudkms:' \
-   --key 'projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/root/cryptoKeyVersions/1' \
+   --key 'cloudkms:projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/root/cryptoKeyVersions/1' \
    "Smallstep Root CA" root_ca.crt
 ```
 
+The `step` CLI automatically detects Cloud KMS URIs, so the `--kms` flag is optional when the key URI includes the `cloudkms:` prefix.
+
 Output:
 
 ```
@@ -91,11 +92,10 @@ Great. Next, repeat the process for the Intermediate CA:
 $ step kms create --json --kms 'cloudkms:' \
     'projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/intermediate'
 $ step certificate create --profile intermediate-ca \
-   --kms 'cloudkms:' \
    --ca-kms 'cloudkms:' \
    --ca root_ca.crt \
    --ca-key 'projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/root/cryptoKeyVersions/1' \
-   --key 'projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/intermediate/cryptoKeyVersions/1' \
+   --key 'cloudkms:projects/smallstep/locations/global/keyRings/step-ca/cryptoKeys/intermediate/cryptoKeyVersions/1' \
    "Smallstep Intermediate CA" intermediate_ca.crt
 ```
 
@@ -230,11 +230,12 @@ Now, let's sign a root CA certificate based on the the key you just created. Sub
 
 ```shell nocopy
 $ step certificate create --profile root-ca \
-   --kms 'awskms:region=us-east-2' \
-   --key 'awskms:key-id=78980acd-a42d-4d84-97ba-1e50d3082214' \
+   --key 'awskms:region=us-east-2;key-id=78980acd-a42d-4d84-97ba-1e50d3082214' \
    "Smallstep Root CA" root_ca.crt
 ```
 
+The `step` CLI automatically detects AWS KMS URIs, so the `--kms` flag is optional when the key URI includes the `awskms:` prefix. The region can be included in the key URI.
+
 Output:
 
 ```
@@ -246,11 +247,10 @@ Great. Next, we'll repeat the process for the Intermediate CA:
 ```shell nocopy
 $ step kms create --json --kms 'awskms:region=us-east-2' intermediate-ca
 $ step certificate create --profile intermediate-ca \
-   --kms 'awskms:region=us-east-2' \
    --ca-kms 'awskms:region=us-east-2' \
    --ca root_ca.crt \
    --ca-key 'awskms:key-id=78980acd-a42d-4d84-97ba-1e50d3082214' \
-   --key 'awskms:key-id=9432458d-1e67-4a74-9a23-8f94708b45fe' \
+   --key 'awskms:region=us-east-2;key-id=9432458d-1e67-4a74-9a23-8f94708b45fe' \
    "Smallstep Intermediate CA" intermediate_ca.crt
 ```
 
@@ -483,7 +483,7 @@ Now, let's sign a root CA certificate based on the the key you just created. Sub
 
 ```shell nocopy
 $ step certificate create --profile root-ca \
-   --kms "$PKCS_URI"
+   --kms "$PKCS_URI" \
    --key "pkcs11:id=7331;object=root-ca" \
    "Smallstep Root CA" root_ca.crt
 ```
@@ -494,12 +494,17 @@ Output:
 Your certificate has been saved in root_ca.crt.
 ```
 
+<Alert severity="info">
+  <div>
+  The `--kms` flag is optional if you include the full PKCS #11 URI (with module-path, token, and PIN) in the `--key` argument. However, using `--kms` keeps the key identifier shorter and avoids repeating connection details across multiple commands.
+  </div>
+</Alert>
+
 Great. Next, we'll repeat the process for the Intermediate CA:
 
 ```shell nocopy
 $ step kms create --json --kms "$PKCS_URI" "pkcs11:id=7332;object=intermediate-ca"
 $ step certificate create --profile intermediate-ca \
-   --kms "$PKCS_URI" \
    --ca-kms "$PKCS_URI" \
    --ca root_ca.crt \
    --ca-key "pkcs11:id=7331;object=root-ca" \
@@ -626,14 +631,14 @@ and sign an Intermediate CA certificate:
 ```shell nocopy
 $ step kms create --json 'tpmkms:name=my-intermediate-ca'
 $ step certificate create --profile intermediate-ca \
-   --kms 'tpmkms:' \
    --ca root_ca.crt \
    --ca-key root_ca.key \
    --key 'tpmkms:name=my-intermediate-ca' \
    "Smallstep Intermediate CA" intermediate_ca.crt
 ```
 
 Here, the `--ca-key` is your root CA; the `--key` is the intermediate CA key id.
+The `step` CLI automatically detects TPM KMS URIs, so the `--kms` flag is optional.
 
 Output:
 
@@ -725,12 +730,12 @@ Now, let's sign a root CA certificate based on the the key you just created. Sub
 
 ```shell nocopy
 $ step certificate create --profile root-ca \
-   --kms 'yubikey:pin-value=123456' \
-   --key 'yubikey:slot-id=82' \
+   --key 'yubikey:slot-id=82?pin-value=123456' \
    "Smallstep Root CA" root_ca.crt
 ```
 
 Here we're using the default PIN code of 123456 to access the YubiKey.
+The `step` CLI automatically detects YubiKey URIs, so the `--kms` flag is optional when the PIN is included in the key URI.
 
 Output:
 
@@ -743,11 +748,10 @@ Great. Next, we'll repeat the process for the Intermediate CA:
 ```shell nocopy
 $ step kms create --json 'yubikey:slot-id=83'
 $ step certificate create --profile intermediate-ca \
-   --kms 'yubikey:pin-value=123456' \
    --ca-kms 'yubikey:pin-value=123456' \
    --ca root_ca.crt \
    --ca-key 'yubikey:slot-id=82' \
-   --key 'yubikey:slot-id=83' \
+   --key 'yubikey:slot-id=83?pin-value=123456' \
    "Smallstep Intermediate CA" intermediate_ca.crt
 ```