Add more kms examples

maraino · maraino · commit b36ab17d9bc4 · 2026-02-04T11:04:31.000-08:00
diff --git a/command/ca/certificate.go b/command/ca/certificate.go
@@ -109,6 +109,13 @@ Request a new certificate with an X5C provisioner:
 $ step ca certificate foo.internal foo.crt foo.key --x5c-cert x5c.cert --x5c-key x5c.key
 '''
 
+Request a new certificate with an X5C using an certificate from a Yubikey:
+'''
+$ step ca certificate joe@example.com joe.crt joe.key \
+  --x5c-cert yubikey:slot-id=9a \
+  --x5c-key 'yubikey:slot-id=9a?pin=value=123456'
+'''
+
 **Certificate Templates** - With a provisioner configured with a custom
 template we can use the **--set** flag to pass user variables:
 '''
diff --git a/command/ca/rekey.go b/command/ca/rekey.go
@@ -85,7 +85,8 @@ $ step ca rekey --force internal.crt internal.key
 
 Rekey a certificate using a KMS, with another from the same KMS:
 '''
-$ step ca rekey --private-key yubikey:slot-id=9a yubikey.crt yubikey:slot-id=82
+$ step ca rekey --private-key 'yubikey:slot-id=9a?pin-value=123456' \
+  yubikey.crt 'yubikey:slot-id=82?pin-value=123456'
 '''
 
 Rekey a certificate using a KMS with the <--kms> flag:
@@ -95,6 +96,11 @@ $ step ca rekey \
   --private-key 'pkcs11:id=4002' pkcs11.crt 'pkcs11:id=4001'
 '''
 
+'''
+$ step ca rekey --key yubikey:pin-value=123456 --private-key yubikey:slot-id=9a \
+  yubikey.crt 'yubikey:slot-id=82
+'''
+
 Rekey a certificate providing the <--ca-url> and <--root> flags:
 '''
 $ step ca rekey --ca-url https://ca.smallstep.com:9000 \
diff --git a/command/ca/renew.go b/command/ca/renew.go
@@ -107,7 +107,7 @@ $ step ca renew --mtls=false --force internal.crt internal.key
 
 Renew a certificate which key is in a KMS:
 '''
-$ step ca renew yubikey.crt yubikey:slot-id=9a
+$ step ca renew yubikey.crt 'yubikey:slot-id=9a?pin-value=123456'
 '''
 
 Renew a certificate which key is in a KMS, using the <--kms> flag:
diff --git a/command/ca/token.go b/command/ca/token.go
@@ -173,8 +173,9 @@ Generate an X5C provisioner token using a certificate in a YubiKey. Note that a
 YubiKey does not support storing a certificate bundle. To make it work, you must
 add the intermediate and the root in the provisioner configuration:
 '''
-$ step ca token --kms yubikey:pin-value=123456 \
-  --x5c-cert yubikey:slot-id=82 --x5c-key yubikey:slot-id=82 \
+$ step ca token \
+  --x5c-cert yubikey:slot-id=82 \
+  --x5c-key 'yubikey:slot-id=82?pin=value=123456' \
   internal.example.com
 '''
 
diff --git a/command/certificate/create.go b/command/certificate/create.go
@@ -332,12 +332,12 @@ $ step certificate create --csr --template csr.tpl --san coyote@acme.corp \
 
 Create a CSR using <step-kms-plugin>:
 '''
-$ step certificate create --csr --key yubikey:slot-id=9a coyote@acme.corp coyote.csr
+$ step certificate create --csr --key 'yubikey:slot-id=9a?pin=value=123456' coyote@acme.corp coyote.csr
 '''
 
 Create a root certificate using <step-kms-plugin>:
 '''
-$ step certificate create --profile root-ca --key yubikey:slot-id=9a 'KMS Root' root_ca.crt
+$ step certificate create --profile root-ca --key 'yubikey:slot-id=9a?pin=value=123456' 'KMS Root' root_ca.crt
 '''
 
 Create a root certificate using <step-kms-plugin> and the <--kms> flag:
