Smallstep loves open source

Smallstep built and maintains the most popular open source certificate management toolchain. Our suite of projects enables robust, automated PKI systems with workflows that seamlessly integrate in the cloud and on-prem.

See on Github
background graphic

Check out our most popular repos

cli

Public

🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.

3.8k
268
153

certificates

Public

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

7.2k
461
212

autocert

Public

⚓ A kubernetes add-on that automatically injects TLS/HTTPS certificates into your containers

0.7k
58
19

STEP-CA

x.509 and SSH Certificates made easy

step-ca provides the infrastructure, automations, and workflows to securely create and operate a private certificate authority (CA). step-ca makes it easy for developers, operators and security teams to manage certificates for production workloads.

Command line interface animation

Quickly bootstrap internal PKI

Get public key infrastructure and certificate authority running in minutes.

Learn more

Securely issue certificates

Automate enrollment using ACME, OIDC, one-time tokens, cloud APIs and more.

Learn more

Operationalize renewals

Use systemD timers, daemon mode, cron jobs, CI/CD, and more to automate certificate management.

Learn more

Use TLS and/or SSH everywhere

Build and operate systems using secure open standards (e.g. X.509, mTLS, JWT, OAuth, OIDC).

Learn more

STEP-CLI

The command-line interface for all things Smallstep

step-cli is a command-line tool for developers, operators, and security professionals to configure and automate the Smallstep toolchain. A swiss-army knife for the day-to-day operations of open standard identity technologies.

Step CLI

Get certificates from step-ca and Certificate Manager

Administer your CA and get certificates using step.

Learn more

Automate client certificates

Support for Mac, Windows, and Linux operating systems.

Learn more

Inspect and lint certificates

View certificate details in human readable or JSON formats.

Learn more

Manage JWTs and Tokens

Get, inspect, and validate OAuth access tokens, identity tokens, and JWTs.

Learn more
Easy to Use, Hard to Misuse

Easy to use, hard to misuse

Safe defaults everywhere encourage best practices by making the right thing easy. Insecure or subtle operations are gated with flags to prevent accidental misuse.

Help That’s Actually Helpful

Help that’s actually helpful

Run step help on any subcommand to find thorough documentation, examples, and in-depth discussion of relevant security, architectural, and operational considerations.

Friendly Workflows

Friendly workflows

Thoughtfully designed to be intuitive, get the job done, and get out of the way. With step, complex security operations become simple and obvious.

Community love 💜

Love from our community
Get started
Limitations of open source

Limitations of open source

While we think step-ca is the best open source, online Certificate Authority on the internet, every piece of software comes with limitations and tradeoffs. step-ca is designed to favor a simple deployment of a scalable two-tiered X.509 PKI, with one Root CA and one Intermediate CA that issues end-entity certificates with passive revocation.

Limitations of step-ca that grew out of our design choices:

  • It issues X.509 certificates from a single configured Intermediate CA; multiple issuing CAs are not supported
  • Its root CA is always offline; a single-tier PKI is not supported
  • Issuance policies are authority-wide
  • There are known ACME concurrency limits for high-availability CAs
  • Very limited options for active revocation (CRL, OCSP)
  • Very limited options for legacy CA protocols
  • Very limited options for device attestation
  • No integration with Certificate Transparency (CT) logs
  • No support for certificate issuance history or metrics
  • No support for ACME External Account Binding (EAB)

If your use case demands these features, you should talk to us because you may be better served by our commercial platform.

Code snippet for step cert create

Transition from open source without friction

Designed for mission-critical DevOps use cases, Step Ca Pro is a drop in replacement for the open source step-ca component. Step CA Pro provides advanced features and compliance options, and full control over the CA and root signing keys while benefiting from our cloud-based integrations and management interface.

Learn more
Step CA Pro

Get the Data Sheet

Step CA Pro unlocks device identity to ensure that only trusted devices can access your enterprise's most sensitive resources. Our collaboration with Google and Apple on the ACME Device Attestation (ACME DA) standard provides the strongest possible guarantee of authentic device identity, preventing credential exfiltration, phishing, and impersonation attacks.

Download
background gradient
Inventory list view UI

Learn more about the platform

The Smallstep platform helps mitigate numerous cybersecurity threats – from phishing to advanced hardware attacks – without impacting end-user workflows.

Learn more
gradient background

Enforce device identity everywhere

Whether you’re working towards a compliance standard, closing gaps in policy enforcement, or preventing nation-state attacks, our team is here to show you how the Device Identity Platform™ can help.

Book a demo