Smallstep CM Pricing
Smallstep Cloud Platform
Free
from $0*
For a single user in dev and homelab environmments.
- 1 user
- 1 DevOps Authority
- 20 managed certificate endpointsGood for short-lived certificates and DevOps environments. [Learn more >](/certificate-manager/)
- Community Support via Discord
*Utilization of Advanced Authority features will result in charges while on Free plan
Team
from $249
For small teams and standard deploys.
- Okta, Azure AD, Google Workplace integration
- 3 admin users
- 50 managed certificate endpointsCertificate Endpoints in excess of plan quota are billed at $0.75/endpoint/mo.
- 1 DevOps Authority
- Access to Advanced Authority features
- SIEM integration
- Standard Customer Support
Enterprise
Custom
For larger team with enterprise environments.
- Okta, Azure AD, Google Workplace integration
- Unlimited admin users
- Unlimited managed certificate endpoints
- Unlimited DevOps AuthorityAdditional DevOps authorities: $49/mo
- Unlimited Advanced AuthorityAdditional Advanced authorities: $499/mo
- SIEM integration
- Premium Customer Support
Have a large environment?
Additional Certificate Endpoints are available with bulk discounts.
Talk to the PKI experts to see if you could be saving big on your securely managed endpoints.
Compare Authorities Features
DevOps
Free
1st free then $49 per month
Advanced
$499
Per month per authority
Features
Highly-available certificate authority
Short-lived certificates with automated renewal
Private keys in GCP cloud KMS
Private Keys in GCP cloud HSM
EC-P256 root & signing key types
Registration Authorities (RAs)
One per Authority
Unlimited
Provisioners
Three per Authority
Unlimited
Provisioner management UI
Coming Soon
Coming Soon
Seamless integration with ACME & Kubernetes
Active revocation
Custom key types and key Import
BYO root & custom CA hierarchies
Certificate Allow / deny
Authority level
Authority & provisioner level
FIPS compliant step-ca (for Linked & RAs)
Coming soon
Certificate approval queue
Renew after expiry
Observability
Endpoint status reporting
Issued certificates details in UI
Expiry events via email
View authority provisioners and admins
Expiry events via webhook event
With Business Account
With Business Account
Export to webhook / SIEM
With Business Account
With Business Account
Dashboard single sign-on
With Team or Business Account
With Team or Business Account
Authenticated Issuance
Authenticated certificate issuance
ACME protocol support
All Let's Encrypt challenge types
All LE + External Account Binding
OIDC - bind user email to SAN/name for developer access
OIDC - admin user create any SAN/name for custom certificate
OIDC - SSO identity token or device auth grant workflows
AWS, GCP, Azure instance identity docs for cloud infrastructure
Password, one-time token, or multi-use token authentication
Kubernetes cert-manager Issuer
Exchange Nebula credential for x.509 certificate
Exchange Nebula credential for x.509 certificate
Customer API
Coming Soon
Coming Soon
Authorize & Customize
Templatized customization of certificates
Allow / deny lists
Authority Level
Authority and Provisioner Level
ACME External Account Binding (EAB)
Issuance with human approver
Inventories for metadata enrichment or access control
Renewal
Single command renewal
SystemD timers
Stand-alone daemon
Cron jobs
Configuration management
Manual renewal by admin
API for renewal
Renew after expiry
Revocation
Passive revocation
UI for certificate revocation
Coming Soon
Coming Soon
Active revocation - CRL
Active revocation - OCSP