diff --git a/command/certificate/create.go b/command/certificate/create.go
index 9494bdda5..ba6699c10 100644
--- a/command/certificate/create.go
+++ b/command/certificate/create.go
@@ -41,14 +41,15 @@ func createCommand() cli.Command {
 		Action: command.ActionFunc(createAction),
 		Usage:  "create a certificate or certificate signing request",
 		UsageText: `**step certificate create** <subject> <crt-file> <key-file>
-[**--kms**=<uri>] [**--csr**] [**--profile**=<profile>]
-[**--template**=<file>] [**--set**=<key=value>] [**--set-file**=<file>]
-[**--not-before**=<duration>] [**--not-after**=<duration>]
-[**--password-file**=<file>] [**--ca**=<issuer-cert>] 
-[**--ca-key**=<issuer-key>] [**--ca-password-file**=<file>]
-[**--ca-kms**=<uri>] [**--san**=<SAN>] [**--bundle**] [**--key**=<file>]
 [**--kty**=<type>] [**--curve**=<curve>] [**--size**=<size>]
-[**--skip-csr-signature**] [**--no-password**] [**--insecure**]`,
+[**--csr**] [**--profile**=<profile>] [**--template**=<file>]
+[**--set**=<key=value>] [**--set-file**=<file>]
+[**--not-before**=<duration>] [**--not-after**=<duration>] [**--san**=<SAN>]
+[**--ca**=<issuer-cert>] [**--ca-kms**=<uri>]
+[**--ca-key**=<issuer-key>] [**--ca-password-file**=<file>]
+[**--kms**=<uri>] [**--key**=<file>] [**--password-file**=<file>]
+[**--bundle**] [**--skip-csr-signature**]
+[**--no-password**] [**--subtle**] [**--insecure**]`,
 		Description: `**step certificate create** generates a certificate or a
 certificate signing request (CSR) that can be signed later using 'step
 certificate sign' (or some other tool) to produce a certificate.
@@ -347,7 +348,7 @@ $ step certificate create \
   --profile intermediate-ca \
   --ca-kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password'
   --ca root_ca.crt --ca-key 'pkcs11:id=4000' \
-  --kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \ 
+  --kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \
   --key 'pkcs11:id=4001' \
   'My KMS Intermediate' intermediate_ca.crt
 '''
@@ -355,27 +356,29 @@ $ step certificate create \
 Create an intermediate certificate for an RSA decryption key in Google Cloud KMS, signed by a root stored on disk, using <step-kms-plugin>:
 '''
 $ step certificate create \
-  --profile intermediate-ca \ 
-  --ca root_ca.crt --ca-key root_ca_key \ 
-  --kms cloudkms: \ 
+  --profile intermediate-ca \
+  --ca root_ca.crt --ca-key root_ca_key \
+  --kms cloudkms: \
   --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \
   --skip-csr-signature \
-  'My RSA Intermediate' intermediate_rsa_ca.crt 
+  'My RSA Intermediate' intermediate_rsa_ca.crt
 '''
 
 Create an intermediate certificate for an RSA signing key in Google Cloud KMS, signed by a root stored in an HSM, using <step-kms-plugin>:
 '''
 $ step certificate create \
-  --profile intermediate-ca \ 
+  --profile intermediate-ca \
   --ca-kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \
-  --ca root_ca.crt --ca-key 'pkcs11:id=4000' \ 
-  --kms cloudkms: \ 
+  --ca root_ca.crt --ca-key 'pkcs11:id=4000' \
+  --kms cloudkms: \
   --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \
-  'My RSA Intermediate' intermediate_rsa_ca.crt 
+  'My RSA Intermediate' intermediate_rsa_ca.crt
 '''
 `,
 		Flags: []cli.Flag{
-			flags.KMSUri,
+			flags.KTY,
+			flags.Size,
+			flags.Curve,
 			cli.BoolFlag{
 				Name:  "csr",
 				Usage: `Generate a certificate signing request (CSR) instead of a certificate.`,
@@ -407,14 +410,34 @@ $ step certificate create \
 			flags.TemplateSet,
 			flags.TemplateSetFile,
 			cli.StringFlag{
-				Name: "password-file",
-				Usage: `The path to the <file> containing the password to
-encrypt the new private key or decrypt the user submitted private key.`,
+				Name: "not-before",
+				Usage: `The <time|duration> set in the NotBefore property of the certificate. If a
+<time> is used it is expected to be in RFC 3339 format. If a <duration> is
+used, it is a sequence of decimal numbers, each with optional fraction and a
+unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
+"us" (or "µs"), "ms", "s", "m", "h".`,
+			},
+			cli.StringFlag{
+				Name: "not-after",
+				Usage: `The <time|duration> set in the NotAfter property of the certificate. If a
+<time> is used it is expected to be in RFC 3339 format. If a <duration> is
+used, it is a sequence of decimal numbers, each with optional fraction and a
+unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
+"us" (or "µs"), "ms", "s", "m", "h".`,
+			},
+			cli.StringSliceFlag{
+				Name: "san",
+				Usage: `Add DNS or IP Address Subjective Alternative Names (SANs). Use the '--san'
+flag multiple times to configure multiple SANs.`,
 			},
 			cli.StringFlag{
 				Name:  "ca",
 				Usage: `The certificate authority used to issue the new certificate (PEM file).`,
 			},
+			cli.StringFlag{
+				Name:  "ca-kms",
+				Usage: "The <uri> to configure the KMS used for signing the certificate",
+			},
 			cli.StringFlag{
 				Name:  "ca-key",
 				Usage: `The certificate authority private key used to sign the new certificate (PEM file).`,
@@ -424,59 +447,34 @@ encrypt the new private key or decrypt the user submitted private key.`,
 				Usage: `The path to the <file> containing the password to
 decrypt the CA private key.`,
 			},
+			flags.KMSUri,
 			cli.StringFlag{
 				Name:  "key",
 				Usage: "The <file> of the private key to use instead of creating a new one (PEM file).",
 			},
+			cli.StringFlag{
+				Name: "password-file",
+				Usage: `The path to the <file> containing the password to
+encrypt the new private key or decrypt the user submitted private key.`,
+			},
 			cli.BoolFlag{
 				Name: "no-password",
 				Usage: `Do not ask for a password to encrypt the private key.
 Sensitive key material will be written to disk unencrypted. This is not
 recommended. Requires **--insecure** flag.`,
-			},
-			cli.StringFlag{
-				Name: "not-before",
-				Usage: `The <time|duration> set in the NotBefore property of the certificate. If a
-<time> is used it is expected to be in RFC 3339 format. If a <duration> is
-used, it is a sequence of decimal numbers, each with optional fraction and a
-unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
-"us" (or "µs"), "ms", "s", "m", "h".`,
-			},
-			cli.StringFlag{
-				Name: "not-after",
-				Usage: `The <time|duration> set in the NotAfter property of the certificate. If a
-<time> is used it is expected to be in RFC 3339 format. If a <duration> is
-used, it is a sequence of decimal numbers, each with optional fraction and a
-unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
-"us" (or "µs"), "ms", "s", "m", "h".`,
-			},
-			cli.StringSliceFlag{
-				Name: "san",
-				Usage: `Add DNS or IP Address Subjective Alternative Names (SANs). Use the '--san'
-flag multiple times to configure multiple SANs.`,
 			},
 			cli.BoolFlag{
 				Name: "bundle",
 				Usage: `Bundle the new leaf certificate with the signing certificate. This flag requires
 the **--ca** flag.`,
 			},
-			flags.KTY,
-			flags.Size,
-			flags.Curve,
-			flags.Force,
-			flags.Subtle,
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
-			cli.StringFlag{
-				Name:  "ca-kms",
-				Usage: "The <uri> to configure the KMS used for signing the certificate",
-			},
 			cli.BoolFlag{
 				Name:  "skip-csr-signature",
-				Usage: "Skip creating and signing a CSR",
+				Usage: "Skip creating and signing a CSR.",
 			},
+			flags.Force,
+			flags.Subtle,
+			flags.InsecureHidden,
 		},
 	}
 }
diff --git a/command/certificate/p12.go b/command/certificate/p12.go
index 68c45b242..d0564aab2 100644
--- a/command/certificate/p12.go
+++ b/command/certificate/p12.go
@@ -23,7 +23,8 @@ func p12Command() cli.Command {
 		Action: command.ActionFunc(p12Action),
 		Usage:  `package a certificate and keys into a .p12 file`,
 		UsageText: `step certificate p12 <p12-path> [<crt-path>] [<key-path>]
-[**--ca**=<file>] [**--password-file**=<file>]`,
+[**--ca**=<file>] [**--password-file**=<file>]
+[**--force**] [**--no-password**] [**--insecure**]`,
 		Description: `**step certificate p12** creates a .p12 (PFX / PKCS12)
 file containing certificates and keys. This can then be used to import
 into Windows / Firefox / Java applications.
diff --git a/command/crypto/hash/hash.go b/command/crypto/hash/hash.go
index 53eb7d892..c57e5406d 100644
--- a/command/crypto/hash/hash.go
+++ b/command/crypto/hash/hash.go
@@ -18,6 +18,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
 )
@@ -127,10 +128,7 @@ For examples, see **step help crypto hash**.
 		:  MD5 produces a 128-bit hash value
 `,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.InsecureHidden,
 		},
 	}
 }
@@ -187,10 +185,7 @@ For examples, see **step help crypto hash**.
 		:  MD5 produces a 128-bit hash value
 `,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.InsecureHidden,
 		},
 	}
 }
diff --git a/command/crypto/jwe/encrypt.go b/command/crypto/jwe/encrypt.go
index 15297ec2e..f71148945 100644
--- a/command/crypto/jwe/encrypt.go
+++ b/command/crypto/jwe/encrypt.go
@@ -5,6 +5,7 @@ import (
 	"os"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/utils"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
@@ -147,10 +148,7 @@ applications where more than one JWE payload type may be present. This
 parameter is ignored by JWE implementations, but may be processed by
 applications that use JWE.`,
 			},
-			cli.BoolFlag{
-				Name:   "subtle",
-				Hidden: true,
-			},
+			flags.SubtleHidden,
 		},
 	}
 }
diff --git a/command/crypto/jwk/create.go b/command/crypto/jwk/create.go
index 0b50fbcde..59aee24b7 100644
--- a/command/crypto/jwk/create.go
+++ b/command/crypto/jwk/create.go
@@ -377,9 +377,9 @@ existing <pem-file> instead of creating a new key.`,
 			},
 			flags.PasswordFile,
 			flags.NoPassword,
+			flags.Force,
 			flags.Subtle,
 			flags.Insecure,
-			flags.Force,
 		},
 	}
 }
diff --git a/command/crypto/jws/inspect.go b/command/crypto/jws/inspect.go
index 715d58c1b..00d6790a6 100644
--- a/command/crypto/jws/inspect.go
+++ b/command/crypto/jws/inspect.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/utils"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
@@ -32,10 +33,7 @@ For examples, see **step help crypto jws**.`,
 				Usage: `Displays the header, payload and signature as a JSON object. The payload will
 be encoded using Base64.`,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.InsecureHidden,
 		},
 	}
 }
diff --git a/command/crypto/jws/sign.go b/command/crypto/jws/sign.go
index 5cde9482d..73f2dd37b 100644
--- a/command/crypto/jws/sign.go
+++ b/command/crypto/jws/sign.go
@@ -150,10 +150,6 @@ string. When used with '--jwk' the <kid> value must match the **"kid"** member
 of the JWK. When used with **--jwks** (a JWK Set) the <kid> value must match
 the **"kid"** member of one of the JWKs in the JWK Set.`,
 			},
-			cli.BoolFlag{
-				Name:   "subtle",
-				Hidden: true,
-			},
 			cli.BoolFlag{
 				Name:   "no-kid",
 				Hidden: true,
@@ -161,6 +157,7 @@ the **"kid"** member of one of the JWKs in the JWK Set.`,
 			flags.PasswordFile,
 			flags.X5cCert,
 			flags.X5tCert,
+			flags.SubtleHidden,
 		},
 	}
 }
diff --git a/command/crypto/jws/verify.go b/command/crypto/jws/verify.go
index fc913b30d..d6798e47c 100644
--- a/command/crypto/jws/verify.go
+++ b/command/crypto/jws/verify.go
@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/utils"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
@@ -71,14 +72,8 @@ member its value must match <kid> or verification will fail.`,
 				Usage: `Displays the header, payload and signature as a JSON object. The payload will
 be encoded using Base64.`,
 			},
-			cli.BoolFlag{
-				Name:   "subtle",
-				Hidden: true,
-			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.SubtleHidden,
+			flags.InsecureHidden,
 		},
 	}
 }
diff --git a/command/crypto/jwt/sign.go b/command/crypto/jwt/sign.go
index 553a904bc..f5fd85b87 100644
--- a/command/crypto/jwt/sign.go
+++ b/command/crypto/jwt/sign.go
@@ -199,10 +199,6 @@ the **"kid"** member of one of the JWKs in the JWK Set.`,
 				Name:  "password-file",
 				Usage: `The path to the <file> containing the password to decrypt the key.`,
 			},
-			cli.BoolFlag{
-				Name:   "subtle",
-				Hidden: true,
-			},
 			cli.BoolFlag{
 				Name:   "no-kid",
 				Hidden: true,
@@ -210,6 +206,7 @@ the **"kid"** member of one of the JWKs in the JWK Set.`,
 			flags.X5cCert,
 			flags.X5tCert,
 			flags.X5cInsecure,
+			flags.SubtleHidden,
 		},
 	}
 }
diff --git a/command/crypto/jwt/verify.go b/command/crypto/jwt/verify.go
index 7f0e00674..d3b3c4f8a 100644
--- a/command/crypto/jwt/verify.go
+++ b/command/crypto/jwt/verify.go
@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/utils"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
@@ -89,18 +90,12 @@ member its value must match <kid> or verification will fail.`,
 				Name:  "password-file",
 				Usage: `The path to the <file> containing the password to decrypt the key.`,
 			},
-			cli.BoolFlag{
-				Name:   "subtle",
-				Hidden: true,
-			},
 			cli.BoolFlag{
 				Name:   "no-exp-check",
 				Hidden: true,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.SubtleHidden,
+			flags.InsecureHidden,
 		},
 	}
 }
diff --git a/command/crypto/kdf/kdf.go b/command/crypto/kdf/kdf.go
index f854ed94f..0251cbb26 100644
--- a/command/crypto/kdf/kdf.go
+++ b/command/crypto/kdf/kdf.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/internal/kdf"
 	"github.com/smallstep/cli/utils"
 	"github.com/urfave/cli"
@@ -149,10 +150,7 @@ appear in places you might not expect. If omitted input is read from STDIN.`,
 		: A password-based KDF optimized to resist GPU and side-channel attacks.
 `,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.InsecureHidden,
 		},
 	}
 }
diff --git a/command/crypto/otp/verify.go b/command/crypto/otp/verify.go
index 864e44fe0..a2d1cb380 100644
--- a/command/crypto/otp/verify.go
+++ b/command/crypto/otp/verify.go
@@ -63,10 +63,7 @@ as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms"
 "s", "m", "h". A <duration> value is added to the current time. An empty
 <time|duration> defaults to "time.Now()".`,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.InsecureHidden,
 		},
 	}
 }
diff --git a/command/oauth/cmd.go b/command/oauth/cmd.go
index 67e649e5c..93976db98 100644
--- a/command/oauth/cmd.go
+++ b/command/oauth/cmd.go
@@ -289,17 +289,13 @@ OpenID standard defines the following values, but your provider may support some
 				Usage:  "Uses the implicit flow to authenticate the user. Requires **--insecure** and **--client-id** flags.",
 				Hidden: true,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Usage:  "Allows the use of insecure flows.",
-				Hidden: true,
-			},
 			cli.StringFlag{
 				Name:   "browser",
 				Usage:  "Path to browser for OAuth flow (macOS only).",
 				Hidden: true,
 			},
 			flags.RedirectURL,
+			flags.InsecureHidden,
 		},
 		Action: oauthCmd,
 	}
diff --git a/flags/flags.go b/flags/flags.go
index f45d39ad3..dccce4995 100644
--- a/flags/flags.go
+++ b/flags/flags.go
@@ -69,7 +69,14 @@ unset, default is P-256 for EC keys and Ed25519 for OKP keys.
 
 	// Subtle is the flag required for delicate operations.
 	Subtle = cli.BoolFlag{
-		Name: "subtle",
+		Name:  "subtle",
+		Usage: "Allow delicate operations.",
+	}
+
+	// SubtleHidden is the hidden flag required for delicate operations.
+	SubtleHidden = cli.BoolFlag{
+		Name:   "subtle",
+		Hidden: true,
 	}
 
 	// Insecure is the flag required on insecure operations
@@ -77,6 +84,12 @@ unset, default is P-256 for EC keys and Ed25519 for OKP keys.
 		Name: "insecure",
 	}
 
+	// InsecureHidden is the hidden flag required on insecure operations.
+	InsecureHidden = cli.BoolFlag{
+		Name:   "insecure",
+		Hidden: true,
+	}
+
 	// K8sSATokenPathFlag is an optional flag that allows modification of the
 	// kubernetes service account token path.
 	K8sSATokenPathFlag = cli.StringFlag{