The cutting edge of cryptographic comms for distributed systems

Lock down Jamf MDM enrollment to only verified company-owned devices with Smallstep’s next-gen device identity.

MASQUE is a modern application-layer standard that takes a fresh approach to securing traffic, and here's why we're excited about it.

Now in it's fifth year, it's the Smallstep Holiday Project! And this one's a doozy...

A tell-it-all guide for small teams like ours looking to automate design workflows, reduce UI development time by 50%, and eliminate the headaches of manual styling.

We asked Smallsteppers for their best advice to stay protected from phishing attempts.

iOS 14 and macOS Sequoia 15 introduces a new privacy feature: randomised MAC addresses for Wi-Fi networks. Hence, if you're still relying on MAC Address Filtering or SSID Hiding to secure your enterprise Wi-Fi network, it's time to rethink your strategy.

Upgraded key protection is a popular Silicon Valley folk remedy for CISO insomnia

We've created a device authentication factor for Okta.

Let’s Encrypt, the non-profit Certificate Authority that offers free SSL/TLS certificates for secure HTTPS connections, has announced plans to end OCSP support in favor of CRLs. What are those, and why? Read to find out.

At WWDC24, Apple announced Private Cloud Compute. Relying heavily on crytographic attestation, it raises the bar on cloud privacy and security.

This is the comprehensive in-depth guide on Wi-Fi security you never knew you needed. Learn about the different modes of Wi-Fi authentication (Open, Personal PSK, Enterprise 802.1x) + Wi-Fi encryption grades (WEP, WPA, WPA2, WPA3), how one is superior (or inferior) to the other, and which Wi-Fi network security setup is the most secure.

In this post, Carl covers the real-world challenges of release engineering that we've encountered publishing our popular open-source packages over the past 5 years.

Market data that shows 78% of the Fortune 100 companies actively engage with Smallstep's open source software. This key discovery reaffirms Smallstep's vision to provide frictionless secure connections for individuals, devices, and software services, making best practices accessible to every organization.

We surveyed 155 security professionals — across small, medium, and large sized companies — on their plans around certificate usage in 2024. The results reveal that certificates for device identity is where the future is headed.

Discover how Apple Managed Device Attestation (MDA) helps realise Zero Trust Security by guaranteeing secure MDM device enrollment and web application protection.

This article answers important questions for someone who has been hearing about EAP TLS, certificate-based WiFi, RADIUS, and who may have been tasked with building out a proof of concept (POC) and wants to know how to proceed.

For our 2023 holiday project, we're setting up an WPA3 Enterprise certificate-authenticated Wi-Fi network at home! And when your family from out of town asks to "jump on the Wi-Fi real quick," you'll learn why this type of network is such a hassle to manage.

How to setup a passwordless SSH connection between a Windows 11 PC and an Ubuntu VM on Azure, using Smallstep short-lived SSH certificates.

Thousands of developers, DevOps, and security professionals trust Smallstep. Discover how three of our open-source community members use step-ca (our open source online certificate authority) to seamlessly incorporate automation into their projects and simplify their workflows.

As Microsoft deprioritizes Active Directory in favor of Entra, the cost of supporting AD CS. It is time to consider migrating your PKI to a modern, consolidated, and robust platform like Smallstep. This tutorial guides you through the process of getting started.

In this tutorial, we will set up the Smallstep Agent on an Ubuntu/Debian Linux VM, and use it to manage TLS certificates for a Redis workload.

Organisations that still cling to their legacy Public Key Infrastructure (PKI) like Microsoft Active Directory Certificate Services, struggle with inefficiency and security loopholes. If you're still unsure, read this.

You want the easy management of encryption and authentication that Smallstep provides - but you have legacy systems trusting old root certificates. Here's the great news - you can now do it all with bring your own root capabilities at Smallstep.

We are excited to announce that Smallstep is evolving into an end-to-end encryption platform. You can now manage the entire certificate lifecycle for everything within infrastructure, all from one place.

As social engineering and phishing attacks become more prevalent, it's clear that a shift away from legacy forms of authentication is necessary. Learn about alternative phishing-resistant authentication methods you can adopt to better protect your organization.

With phishing attacks on the rise, passwords are no longer a reliable method for granting infrastructure access or authenticating users. It is time to adopt authentication methods that don't rely on shared secrets.

Let's explore the Trusted Platform Module (TPM), a standardized crypto processor chip that has recently become ubiquitous in our devices.

'Provisioners' are crucial to how the Smallstep Platform works, and a faint understanding of what they are and do, is required to effectively use the Smallstep platform and open-source tools to issue and manage certificates.

By combining YubiKey’s smart card support with mutual TLS client certificates, hardware-bound private keys, and device attestation, you can expose your homelab to the internet in a way that carries very low security risk.

We've just added EAB to our ACME server. EAB adds more security and control to the process of automating certificate management actions for machines and services using the ACME protocol. Read on to find out what this means for you as a Smallstep user.

Get into all your hosts quickly and reduce the toil of manually finding and renewing SSH keys with Smallstep SSH Professional. Combine that with Indent’s time-bound, on-demand access and you have better security in minutes.

Here are some of the (many, many) reasons our customers trust and use Smallstep for SSH.

Apple MDA, GitHub OIDC, systemd-creds, Passkeys, and Identity-Aware Proxies: Here's a look at some infrastructure security advancements that caught our attention in 2022.

With GitHub Actions OIDC tokens and Smallstep Certificate Manager, you can access protected internal resources like cloud services, databases, websites, or Kubernetes clusters using short-lived TLS certificates and no hard-coded secrets!

A good PKI is essential for most organizations’ security models. However, building one from scratch is much easier said than done. Don't build your own PKI. Take it from me; I tried to, and this is my (horror) story.

Public web certificate authorities like Let's Encrypt were not designed to support internal use cases. What you need is a private certificate authority.

Learn the differences between our Devops and Advanced Authorities offerings

We’ve launched an ACME Registration Authority quickstart guide to help you easily automate certificate issuance and renewal to endpoints within walled-off networks. Read up on Registration Authorities and why may need them.

The shift from SCEP to ACME device attestation is a boon for endpoint security.

Have you ever wondered how to securely enroll a brand new phone or laptop onto your network and with your PKI? In this post we describe ACME Device Attestation, which uses a strong cryptographic proof of identity to request a client certificate from an internal PKI. It is set to replace SCEP as the premier method for enrolling with a CA. We’re very excited about it, and you should be too.

Although SSH certificates are the most secure way to regulate SSH access, they are underutilised. They're also frequently confused with X.509 (aka TLS) certificates. This article explains what SSH certificates are, why you should be using them, and how they differ from their more popular X.509 counterparts.

Stop managing and rotating AWS IAM credentials in your workloads. IAM now lets you delegate AWS authentication to an ACME Certificate Authority.

With systemd-creds, hardware-protected secrets just got a lot easier in Linux

Managing Kubernetes is hard. Securing Kubernetes workloads is hard. Here's my journey into making it easier to use Kubernetes TLS.

Today is the first step in the Certificate Manager journey. We delivered the core platform to make users successful and are excited to see what you will do with it.

What if OpenSSL were a GUI program? Here's what it might look like.

We integrated the Smallstep toolchain into Kelsey Hightower's excellent tutorial, Kubernetes The Hard Way.

We have secured our seed and Series A funding - this is a huge thank you to our investors and our community who believe in us and continue to help us make Production Identity a reality.

As I round the bend on two years at Smallstep, I have to ask myself: Why is this going so well?

We researched how dozens of Docker services handle TLS certificates, and developed a few patterns for automating certificate management in container environments.

Part one of a three part series on securing MongoDB with TLS: How to set up a Certificate Authority for MongoDB servers and clients.

Part two of a three part series on securing MongoDB with TLS: Configuring MongoDB with server and client TLS validation.

The last in a three part series on securing MongoDB: Setting up a cluster TLS with X509 user authentication.

We're excited to announce a new release of our HSM-backed cloud ACME server, the Smallstep ACME Registration Authority for Google CA Services.

A step-by-step guide to securing Istio and Kubernetes workloads using an open-source private certificate authority.

We set up mutual TLS between five services for secure homelab monitoring with Grafana, Prometheus, Loki, Promtail, and node_exporter.

How to keep secret credentials safe on the command line.

How to use a PKCS #11 HSM with step-ca to protect your private keys

Internal PKI continues to be essential but struggles with modern practices. But don't worry, there is hope.

Let's make a tiny, standalone CA! We'll use a Raspberry Pi 4, YubiKey 5 NFC, and Infinite Noise TRNG.

ACME is a great protocol for internal certificate management, but enterprise software is not yet ready.

We added SSH certificate templates to step-ca, and it opened up some unexpected opportunities.

We're excited to announce our new HSM-backed cloud ACME server, the Smallstep ACME Registration Authority for Google CA Services.

We've added X.509 certificate templates to Step Certificates

What became clear in our product-led research is that we made a few mishaps. And there was one in particular that we wanted to fix ASAP. A series of go-to-market learnings and mishaps from smallstep.

How to create and deploy a simple and minimal bastion host on Ubuntu 20.04 LTS.

Learn how to prepare for emergency access to your SSH hosts.

Naming a CLI command requires deep and careful deliberation.

The SSH agent acts behind the scenes to keep you safe. Here's how it works.

A few of our favorite SSH tricks and tips sure to improve your daily experience.

step now supports Microsoft Windows AND step-ca provides first-class support for single sign-on SSH

It took a lot of late nights and weekends to get here. I’m incredibly thankful for the work of our fantastic team, early access customers, and to their families for behind the scenes support. Today, we’re excited to announce the output of that work: the general availability of Smallstep SSH Professional Edition.

Let's set up Google SSO for SSH! We’ll use OpenID Connect (OIDC), SSH certificates, a clever SSH configuration tweak, and Smallstep’s open source packages.

Video recording of the 10-minute lightning talk from Mike Malone on using SSH Certificates. This was recorded at BSidesSF 2020.

For the pragmatists and learn-by-doing people who want to get up and running quickly, we''ve launched a new interactive onboarding utility. It walks through the process of running a private CA and connecting two systems in your infrastructure.

step and step-ca (v0.11.0) adds support for cloud instance identity documents (IIDs), making it embarrassingly easy to get certificates to workloads running on public cloud virtual machines (VMs). This post introduces IID-based authentication with step and step-ca, and notes some interesting architectural and security details.

With today's release (v0.13.0), you can now use ACME to get certificates from step-ca. ACME (RFC8555) is the protocol that Let's Encrypt uses to automate certificate management for websites. ACME radically simplifies the deployment of TLS and HTTPS by letting you obtain certificates automatically, without human interaction.

Automating internet security with the Let’s Encrypt certificate authority has led to the massive acceleration of safe web browsing. As we roll out ACME protocol support and give away some free hoodies, we want to thank Let’s Encrypt and the IETF for making it all possible.

SSH has some pretty gnarly issues when it comes to usability, operability, and security. The good news is this is all easy to fix. SSH is ubiquitous. It’s the de-facto solution for remote administration of *nix systems. SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.

No more editing Authorized_keys files for every change in membership and especially no more warnings about “remote host identification changes.

This issue is a discussion about the trust anchor and dependencies of systems. While a clever turtle reference often satisfies the room, getting a real answer to this question is fundamental to modern security practices.

The big headline feature for this release is instance identity document support but there are a ton of other small improvements in this release including Helm, key types, self-signed certs, group checks for SSO, email SAN, bundling and other upgrades.

Great Minds Really Do Think Alike! I found an inarguable topic in the most unlikely of places, deep in the conversations between cyber-security experts.

In this post, we will explore how successful public internet practices provide a set of instructions for how the industry should be thinking about securing internal systems. The second edition of the Modern Security for Leaders series.

smallstep’s vision is centered on modernizing security practices using the best available technology to solve security challenges. Now you’re probably saying (as I was at this point), there are hundreds of companies out there spending billions of dollars on modernizing practices. How much market is really left for a scrappy startup? Turns out a lot!

If you're a normal human person you probably don't think much about certificate revocation. This post will help you justify your apathy. It will explain why your indifference is, in fact, the technically correct attitude to have regarding this particular detail of your system's security architecture.

Introducing step v0.9.0: Most enterprise IAM systems expose OpenID Connect (a suite of single-sign-on protocols that allow the creation of accounts and login into third party applications using a single account per user identity). In step v0.9.0 you can now leverage OpenID Connect to authenticate with step certificates to make issuance of personal certificates simple.

Almost 80% of web page loads now use TLS. But almost no one uses TLS in development and pre-production. Why? Because it's hard. That sucks. When dev and staging don't match prod, bad things happen. Today's step release, version 0.8.6, makes using TLS in dev & pre-prod environments a whole lot easier.

The purpose of federation is to allow for secure communication across autonomous systems (e.g., across clouds or between kubernetes clusters). In this post, we’ll take a closer look into how federation works and how the step toolkit expands robust identity bootstrapping beyond a single Kubernetes cluster, cloud, or VM without getting bogged down by operational challenges.

Introducing step Certificates, an open-source project that makes secure automated certificate management easy, so you can use TLS and easily access anything, running anywhere, from everywhere. But step certificates is more than a certificate authority. It provides all the missing bits you need to run your own internal public key infrastructure (PKI).

Certificates and public key infrastructure (PKI) are hard. No shit, right? I know a lot of smart people who''ve avoided this particular rabbit hole. Eventually, I was forced to learn this stuff because of what it enables: PKI lets you define a system cryptographically. It''s universal and vendor-neutral yet poorly documented. This is the missing manual.

This post has a simple purpose: to persuade you to use TLS everywhere. By everywhere, I mean everywhere. Not just for the public internet, but for every internal service-to-service request. Not just between clouds or regions. Everywhere. Even inside production perimeters like VPCs. I suspect this will elicit a range of reactions from apathy to animosity. Regardless, read on.

A better security model exists. Instead of relying on IP and MAC addresses to determine access we can cryptographically authenticate the identity of people and software making requests. It’s a simple concept, really: what matters is who or what is making a request, not where a request comes from. In short, access should be based on production identity