[TERMINAL · SKILLS]
> mounting /skills...
> indexing 295 manifests...
> linking agents: claude · codex · gemini · cursor
> ready.
[░░░░░░░░░░░░░░░░░░░░░░░░░░░░] 0%
Terminal.skills
Skills/step-ca
>

step-ca

Run a private certificate authority with step-ca. Use when a user asks to issue internal TLS certificates, set up mTLS between services, create a private PKI, or manage certificates for internal infrastructure.

#step-ca#pki#certificates#mtls#internal-tls
terminal-skillsv1.0.0
Works with:claude-codeopenai-codexgemini-clicursor
Source
Trust Score
67/ 100
3.18×
Impact

Validation

Quality
67/ 100
Does it follow best practices?
1 PASS · 5 WEAK
Security
Passed
No known issues
Content review + injection scan
Impact
3.18×
28% → 89% agent success
Avg across 2 eval scenarios
Scored 5/13/2026 · skill v1.0.0
$
✓ Installed step-ca v1.0.0

Getting Started

  1. Install the skill using the command above
  2. Open your AI coding agent (Claude Code, Codex, Gemini CLI, or Cursor)
  3. Reference the skill in your prompt
  4. The AI will use the skill's capabilities automatically

Example Prompts

  • "Deploy the latest build to the staging environment and run smoke tests"
  • "Check the CI pipeline status and summarize any recent failures"

Documentation

Overview

step-ca is a private certificate authority for issuing TLS certificates to internal services. Automated certificate issuance, renewal, and revocation — like Let's Encrypt but for private infrastructure.

Instructions

Step 1: Initialize CA

bash
brew install step
step ca init --name "Internal CA" --dns localhost --address :443 --provisioner admin

Step 2: Issue Certificates

bash
step-ca $(step path)/config/ca.json    # start CA server
step ca certificate api.internal api.crt api.key    # issue cert

Step 3: Auto-Renewal

bash
step ca renew --daemon api.crt api.key    # auto-renews before expiry

Step 4: mTLS Between Services

typescript
// server.ts — Node.js server with mutual TLS
import https from 'https'
import fs from 'fs'

const server = https.createServer({
  cert: fs.readFileSync('server.crt'),
  key: fs.readFileSync('server.key'),
  ca: fs.readFileSync('root_ca.crt'),
  requestCert: true,          // require client certificate
  rejectUnauthorized: true,
}, (req, res) => {
  const clientCN = req.socket.getPeerCertificate().subject.CN
  res.end('Hello ' + clientCN)
})

Guidelines

  • Use step-ca for internal services, Let's Encrypt for public-facing.
  • Short-lived certs (24h) with auto-renewal are more secure than long-lived ones.
  • ACME protocol support — works with Certbot, Caddy.
  • Integrates with Kubernetes cert-manager for automatic pod certificates.

Information

Version
1.0.0
Author
terminal-skills
Category
DevOps
License
Apache-2.0