diff --git a/command/certificate/create.go b/command/certificate/create.go
index 906e6ecf..b032bd4f 100644
--- a/command/certificate/create.go
+++ b/command/certificate/create.go
@@ -45,7 +45,8 @@ func createCommand() cli.Command {
 [**--password-file**=<path>] [**--ca**=<issuer-cert>]
 [**--ca-key**=<issuer-key>] [**--ca-password-file**=<path>]
 [**--san**=<SAN>] [**--bundle**] [**--key**=<path>]
-[**--kty**=<type>] [**--curve**=<curve>] [**--size**=<size>] [**--no-password**]`,
+[**--kty**=<type>] [**--curve**=<curve>] [**--size**=<size>]
+[**--no-password**] [**--insecure**]`,
 		Description: `**step certificate create** generates a certificate or a
 certificate signing request (CSR) that can be signed later using 'step
 certificate sign' (or some other tool) to produce a certificate.
@@ -421,7 +422,7 @@ func createAction(ctx *cli.Context) error {
 	insecure := ctx.Bool("insecure")
 	noPass := ctx.Bool("no-password")
 	if noPass && !insecure {
-		return errs.RequiredWithFlag(ctx, "insecure", "no-password")
+		return errs.RequiredWithFlag(ctx, "no-password", "insecure")
 	}
 
 	subject := ctx.Args().Get(0)
diff --git a/command/crypto/change-pass.go b/command/crypto/change-pass.go
index 996c1fc8..39b542f7 100644
--- a/command/crypto/change-pass.go
+++ b/command/crypto/change-pass.go
@@ -100,7 +100,7 @@ func changePassAction(ctx *cli.Context) error {
 	decryptPassFile := ctx.String("password-file")
 	encryptPassFile := ctx.String("new-password-file")
 	if noPass && !insecure {
-		return errs.RequiredWithFlag(ctx, "insecure", "no-password")
+		return errs.RequiredWithFlag(ctx, "no-password", "insecure")
 	}
 
 	keyPath := ctx.Args().Get(0)
diff --git a/command/crypto/keypair.go b/command/crypto/keypair.go
index 9fd7821d..cd061f6c 100644
--- a/command/crypto/keypair.go
+++ b/command/crypto/keypair.go
@@ -20,7 +20,7 @@ func createKeyPairCommand() cli.Command {
 		Usage:  "generate a public / private keypair in PEM format",
 		UsageText: `**step crypto keypair** <pub_file> <priv_file>
 [**--kty**=<key-type>] [**--curve**=<curve>] [**--size**=<size>]
-[**--password-file**=<file>] [**--no-password**]`,
+[**--password-file**=<file>] [**--no-password**] [**--insecure**]`,
 		Description: `**step crypto keypair** generates a raw public /
 private keypair in PEM format. These keys can be used by other operations
 to sign and encrypt data, and the public key can be bound to an identity
@@ -110,7 +110,7 @@ func createAction(ctx *cli.Context) (err error) {
 		return errs.IncompatibleFlag(ctx, "no-password", "password-file")
 	}
 	if noPass && !insecure {
-		return errs.RequiredWithFlag(ctx, "insecure", "no-password")
+		return errs.RequiredWithFlag(ctx, "no-password", "insecure")
 	}
 
 	// Read password if necessary