Claude Code For Step Ca Pki (2026)
Claude Code for step-ca PKI Workflow Guide
Managing Public Key Infrastructure (PKI) is essential for securing modern applications, but it can be complex and error-prone. smallstep’s step-ca provides a modern, automated certificate authority that integrates well with Claude Code, enabling developers to automate certificate lifecycle management efficiently.
This guide demonstrates how to use Claude Code to streamline your step-ca PKI workflows, from initial setup to certificate rotation and revocation. You will find concrete shell commands, workflow patterns, and troubleshooting techniques you can apply immediately to a real environment.
Understanding step-ca and Claude Code
step-ca is an open-source certificate authority that supports multiple certificate formats and authentication methods. It integrates smoothly with smallstep’s certificate manager and provides simple ACME, SCEP, and API-based certificate issuance. Claude Code can interact with step-ca through its CLI, API, or by creating custom skills tailored to your PKI needs.
The combination of step-ca and Claude Code is powerful because Claude understands your intent. such as “issue a new certificate for my API server”. and handles the underlying certificate operations automatically, reducing manual errors and saving time.
A traditional PKI workflow involves multiple manual steps: generating a CSR, submitting it to the CA, downloading the signed certificate, deploying it, scheduling renewal reminders, and repeating this for every service in your fleet. With step-ca and Claude Code, most of that becomes a single prompted interaction.
step-ca vs Traditional PKI Approaches
| Capability | OpenSSL + Manual CA | HashiCorp Vault PKI | step-ca |
|---|---|---|---|
| Setup complexity | High | Medium | Low |
| ACME support | No | Yes (EE) | Yes |
| Short-lived certs | Manual | Yes | Yes |
| CLI ergonomics | Poor | Medium | Excellent |
| Claude Code integration | Limited | Good | Excellent |
| Automated renewal | Manual scripting | Agent required | Built-in (step ca renew) |
step-ca wins for teams that want a modern, developer-friendly CA without the overhead of a full Vault deployment.
Prerequisites
Before implementing PKI workflows with Claude Code and step-ca, ensure you have:
- step-ca installed on your system or server
- A running step-ca instance with proper configuration
- Claude Code installed with bash and read_file tools enabled
- Basic understanding of certificate concepts (CAs, certificates, keys, CSR)
- The
stepCLI tool installed on any host that will request or renew certificates
You can verify your step CLI installation with:
step version
Expected output: Smallstep CLI/0.x.x (linux/amd64)
step ca health --ca-url=$STEP_CA_URL
Expected output: {"status":"ok"}
If the health check fails, confirm your CA URL and that the step-ca service is running before proceeding.
Setting Up step-ca with Claude Code
Initial Configuration
Begin by establishing the environment variables that Claude Code will use to communicate with your step-ca instance:
export STEPPATH="$HOME/.step"
export STEP_CA_URL="https://ca.example.com:8443"
export STEP_CA_FINGERPRINT="your-ca-fingerprint-here"
Place these in your shell profile (~/.zshrc or ~/.bashrc) so they persist across sessions. Claude Code will read them from the environment when executing commands via the bash tool.
Claude Code can help you generate these configurations by running commands and interpreting the outputs. For local development, you might start a dev CA:
Initialize a new CA for development
step ca init \
--name "Development CA" \
--dns "localhost" \
--address ":8443" \
--provisioner "[email protected]"
This command creates the CA directory structure under $STEPPATH, generates the root and intermediate certificates, and configures the default provisioner. Claude Code can walk you through interpreting the output and setting up the first provisioner password.
To retrieve the CA fingerprint (needed for bootstrapping trust on client hosts):
step ca root | step certificate fingerprint
Store this fingerprint securely. it is what clients use to verify the CA’s identity before trusting any certificates it issues.
Creating a Claude Skill for PKI Operations
Create a custom skill to standardize your PKI interactions. This skill should define common certificate operations:
name: pki-manager
description: "Manage certificates using step-ca PKI"
A well-designed pki-manager skill accepts the following inputs:
- Operation:
issue,renew,revoke,inspect - Subject: the hostname or service name for the certificate
- Validity period: duration string like
24h,720h,8760h - Output paths for the certificate and key files
When Claude Code receives a plain-English request like “issue a certificate for the new payment service with a 30-day lifetime,” the pki-manager skill maps that intent to the correct step ca certificate invocation with the right flags, provisioner, and output paths.
Automating Certificate Management
Certificate Issuance Workflow
Claude Code excels at automating certificate issuance across multiple services. Here’s a practical workflow:
Request a new certificate
step ca certificate api.example.com api.crt api.key \
--ca-url=$STEP_CA_URL \
--provisioner=automation \
--not-after=720h
Verify the certificate was issued correctly
step certificate inspect api.crt --short
Confirm it chains to the root CA
step certificate verify api.crt --roots=$STEPPATH/certs/root_ca.crt
After issuance, Claude Code can help you deploy the certificate to its destination. copying it to a secrets manager, updating a Kubernetes secret, or reloading an nginx configuration.
A complete issuance-and-deploy workflow for an nginx service might look like:
Issue certificate
step ca certificate "web.internal.example.com" /etc/ssl/web.crt /etc/ssl/web.key \
--ca-url=$STEP_CA_URL --not-after=720h
Reload nginx without downtime
nginx -t && systemctl reload nginx
Confirm the live certificate
echo | openssl s_client -connect web.internal.example.com:443 2>/dev/null \
| openssl x509 -noout -dates
Claude Code can execute all three steps in sequence and surface the expiry dates for your records, so you know exactly when the next renewal is due.
Bulk Certificate Operations
For environments with multiple services, Claude Code can handle bulk operations efficiently:
Create certificates for multiple services in one workflow
for service in api web database cache; do
step ca certificate "${service}.internal.example.com" "${service}.crt" "${service}.key" \
--ca-url=$STEP_CA_URL \
--provisioner=automation \
--not-after=8760h
done
Claude Code can generate such scripts based on your service inventory, making it easy to maintain certificates across your infrastructure. Provide Claude with a list of hostnames from your service registry and it will produce the loop, handle naming conventions, and optionally push the resulting certificates to the correct destinations.
For larger fleets, consider structuring the output directory:
CERT_DIR="/etc/pki/tls/services"
mkdir -p $CERT_DIR
for service in api web database cache; do
SERVICE_DIR="$CERT_DIR/$service"
mkdir -p $SERVICE_DIR
step ca certificate "${service}.internal.example.com" \
"$SERVICE_DIR/cert.pem" \
"$SERVICE_DIR/key.pem" \
--ca-url=$STEP_CA_URL \
--provisioner=automation \
--not-after=8760h
echo "Issued: ${service}. expires $(step certificate inspect $SERVICE_DIR/cert.pem --format json | jq -r .validity.end)"
done
This approach keeps certificates organized per service and logs expiry times for each, giving you an audit trail.
Certificate Rotation Automation
Certificate rotation is critical for security. Claude Code can help you implement automated rotation:
Check all certificate expiration dates
step ca list | jq -r '.[] | "\(.hostname) \(.not_after)"'
Renew certificates expiring within 7 days
step ca list | jq -r '.[] | select(.not_after | fromdateiso8601 < (now + 604800)) | .hostname' | \
while read host; do
step ca renew "${host}.crt" "${host}.key" --ca-url=$STEP_CA_URL
echo "Renewed: $host"
done
For a production setup, wrap this in a cron job or a systemd timer that runs daily:
/etc/cron.d/cert-rotation
0 2 * * * root /usr/local/bin/rotate-certs.sh >> /var/log/cert-rotation.log 2>&1
The rotate-certs.sh script can be generated by Claude Code, tailored to your service layout. You provide the list of certificate paths and their associated services; Claude writes the rotation script, handles the reload logic for each service type, and adds error handling so a single failed renewal does not abort the entire run.
Certificate Security Best Practices
Using Short-Lived Certificates
For enhanced security, configure shorter certificate lifetimes. Short-lived certificates reduce the blast radius of a compromised key. if an attacker obtains a private key that expires in 24 hours, their window to exploit it is narrow.
Issue certificate with 24-hour validity
step ca certificate "service.example.com" "service.crt" "service.key" --not-after=24h
For workloads with automated renewal (recommended for internal services)
step ca certificate "worker.internal.example.com" "worker.crt" "worker.key" --not-after=4h
Pair short-lived certificates with automated renewal using step’s built-in renewal daemon:
Run the renewal daemon. renews when <2/3 of lifetime remains
step ca renew --daemon --ca-url=$STEP_CA_URL service.crt service.key
This daemon runs in the background and renews the certificate before it expires, so services never need to handle rotation themselves.
Implementing mTLS
Mutual TLS provides strong authentication between services. Rather than relying solely on network segmentation or API keys, mTLS ensures both sides of a connection present valid certificates issued by a trusted CA.
Issue client certificate for a specific service identity
step ca certificate "payment-service" "client.crt" "client.key" \
--ca-url=$STEP_CA_URL \
--provisioner=automation \
--san="payment-service.internal.example.com"
Create certificate bundle (client cert + CA chain)
cat client.crt $STEPPATH/certs/root_ca.crt > bundle.pem
Configure your application to present the client certificate on outbound connections. For curl-based testing:
Test mTLS connection
curl --cert client.crt --key client.key \
--cacert $STEPPATH/certs/root_ca.crt \
https://api.internal.example.com/health
Claude Code can generate the mTLS configuration blocks for nginx, Envoy, or Go’s tls.Config struct based on your target runtime, then verify the configuration is syntactically valid before you deploy it.
Certificate Policy Enforcement
A common gap in PKI deployments is inconsistent certificate lifetimes. some certs are valid for one year, others for five. Claude Code can audit your current fleet:
Audit all certificate lifetimes
for cert_file in /etc/pki/tls/services//*.pem; do
hostname=$(basename $(dirname $cert_file))
expiry=$(step certificate inspect "$cert_file" --format json 2>/dev/null | jq -r '.validity.end // "unreadable"')
echo "$hostname: $expiry"
done
Feed this output back to Claude and ask it to flag any certificates with lifetimes exceeding your policy threshold. This turns a manual audit into a prompted five-minute task.
Troubleshooting Common PKI Issues
Certificate Chain Verification
When verification fails, Claude Code can diagnose the issue:
Check certificate chain integrity
step certificate verify server.crt --roots=$STEPPATH/certs/root_ca.crt
Inspect certificate details in full
step certificate inspect server.crt --format json | jq '{
subject: .subject,
san: .extensions.subjectAltName,
valid_from: .validity.start,
valid_until: .validity.end,
issuer: .issuer
}'
Common chain verification failures fall into three categories:
- Wrong root CA: The certificate was issued by a different CA instance than the one the verifier trusts. Check that both sides are bootstrapped with the same CA fingerprint.
- Expired intermediate: If your CA uses an intermediate certificate, the intermediate itself may have expired. Run
step certificate inspect $STEPPATH/certs/intermediate_ca.crtto check. - SAN mismatch: The hostname in the connection does not match any Subject Alternative Name in the certificate. Inspect the SAN list using the command above.
Renewal Failures
Common renewal issues include expired provisioner credentials or network problems. Claude Code can help troubleshoot:
Check provisioner status
step ca provisioner list
Test connectivity to CA
curl -k $STEP_CA_URL/health
Check if the certificate is still within its renewal window
step certificate inspect service.crt --format json | jq '{
not_before: .validity.start,
not_after: .validity.end
}'
If the renewal daemon is failing silently, check its logs:
journalctl -u cert-renewer@service -n 50 --no-pager
Provide this output to Claude Code and it will identify whether the issue is a network timeout, an expired JWK provisioner, or a permissions problem on the certificate files.
Integration with Container Orchestration
Kubernetes Certificate Management
For Kubernetes environments, integrate step-ca with cert-manager:
Example cert-manager issuer configuration
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: step-ca-issuer
namespace: default
spec:
ca:
secretName: step-ca-cert
You also need to create the secret containing the CA certificate:
Export CA cert and create Kubernetes secret
kubectl create secret generic step-ca-cert \
--from-file=tls.crt=$STEPPATH/certs/root_ca.crt \
--namespace=default
Once the issuer is configured, cert-manager can automatically provision and renew certificates for any ingress or pod that requests one through a Certificate resource:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: api-tls
namespace: default
spec:
secretName: api-tls-secret
issuerRef:
name: step-ca-issuer
kind: Issuer
dnsNames:
- api.internal.example.com
duration: 720h
renewBefore: 168h
Claude Code can generate these manifests from a list of service names and namespaces, apply them to the cluster, and verify the resulting secrets contain valid certificates. all in a single session.
Docker Compose Environments
For local development with Docker Compose, you can mount certificates issued by a dev step-ca into your containers:
services:
api:
image: my-api:latest
volumes:
- ./certs/api.crt:/etc/ssl/certs/api.crt:ro
- ./certs/api.key:/etc/ssl/private/api.key:ro
environment:
- TLS_CERT_PATH=/etc/ssl/certs/api.crt
- TLS_KEY_PATH=/etc/ssl/private/api.key
Generate the ./certs directory using step-ca before running docker compose up:
mkdir -p ./certs
step ca certificate "api" ./certs/api.crt ./certs/api.key \
--ca-url=https://localhost:8443 --not-after=24h
This gives your local containers the same mTLS behavior they will have in production, catching certificate-related bugs before they reach staging.
Actionable Summary
Implementing step-ca PKI workflows with Claude Code provides significant benefits:
- Automation: Claude Code handles certificate operations, reducing manual work
- Consistency: Custom skills ensure standardized certificate management across your fleet
- Security: Short-lived certificates and automated rotation reduce the window of exposure for compromised keys
- Troubleshooting: Claude helps diagnose and resolve PKI issues quickly by correlating log output, certificate inspection data, and CA health checks in a single context
Start by setting up your step-ca environment, bootstrap trust on your client hosts using the CA fingerprint, and create a custom pki-manager skill for your most common operations. As your comfort grows, layer in the rotation automation and mTLS configurations. The payoff is a certificate infrastructure that mostly runs itself, with Claude Code available to handle the exceptions.
Try it: Paste your error into our Error Diagnostic for an instant fix.
Related Reading
- AI Assisted Architecture Design Workflow Guide
- AI Assisted Code Review Workflow Best Practices
- Best Way to Integrate Claude Code into Team Workflow
Built by theluckystrike. More at zovo.one
Find the right skill → Browse 155+ skills in our Skill Finder.