Smallstep loves open source
Smallstep built and maintains the most popular open source certificate management toolchain. Our suite of projects enables robust, automated PKI systems with workflows that seamlessly integrate in the cloud and on-prem.
Check out our most popular repos
cli
Public🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
certificates
Public🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
autocert
Public⚓ A kubernetes add-on that automatically injects TLS/HTTPS certificates into your containers
STEP-CA
x.509 and SSH Certificates made easy
step-ca provides the infrastructure, automations, and workflows to securely create and operate a private certificate authority (CA). step-ca makes it easy for developers, operators and security teams to manage certificates for production workloads.
Quickly bootstrap internal PKI
Get public key infrastructure and certificate authority running in minutes.
Securely issue certificates
Automate enrollment using ACME, OIDC, one-time tokens, cloud APIs and more.
Operationalize renewals
Use systemD timers, daemon mode, cron jobs, CI/CD, and more to automate certificate management.
Use TLS and/or SSH everywhere
Build and operate systems using secure open standards (e.g. X.509, mTLS, JWT, OAuth, OIDC).
STEP-CLI
The command-line interface for all things Smallstep
step-cli is a command-line tool for developers, operators, and security professionals to configure and automate the Smallstep toolchain. A swiss-army knife for the day-to-day operations of open standard identity technologies.
Get certificates from step-ca and Certificate Manager
Administer your CA and get certificates using step.
Manage JWTs and Tokens
Get, inspect, and validate OAuth access tokens, identity tokens, and JWTs.
Easy to use, hard to misuse
Safe defaults everywhere encourage best practices by making the right thing easy. Insecure or subtle operations are gated with flags to prevent accidental misuse.
Help that’s actually helpful
Run step help on any subcommand to find thorough documentation, examples, and in-depth discussion of relevant security, architectural, and operational considerations.
Friendly workflows
Thoughtfully designed to be intuitive, get the job done, and get out of the way. With step, complex security operations become simple and obvious.
Community love 💜
Limitations of open source
While we think step-ca is the best open source, online Certificate Authority on the internet, every piece of software comes with limitations and tradeoffs. step-ca is designed to favor a simple deployment of a scalable two-tiered X.509 PKI, with one Root CA and one Intermediate CA that issues end-entity certificates with passive revocation.
Limitations of step-ca that grew out of our design choices:
- It issues X.509 certificates from a single configured Intermediate CA; multiple issuing CAs are not supported
- Its root CA is always offline; a single-tier PKI is not supported
- Issuance policies are authority-wide
- There are known ACME concurrency limits for high-availability CAs
- Very limited options for active revocation (CRL, OCSP)
- Very limited options for legacy CA protocols
- Very limited options for device attestation
- No integration with Certificate Transparency (CT) logs
- No support for certificate issuance history or metrics
- No support for ACME External Account Binding (EAB)
If your use case demands these features, you should talk to us because you may be better served by our commercial platform.
Transition from open source without friction
Designed for mission-critical DevOps use cases, Step CA Pro is a drop in replacement for the open source step-ca component. Step CA Pro provides advanced features and compliance options, and full control over the CA and root signing keys while benefiting from our cloud-based integrations and management interface.
Get the Data Sheet
Step CA Pro unlocks device identity to ensure that only trusted devices can access your enterprise's most sensitive resources. Our collaboration with Google and Apple on the ACME Device Attestation (ACME DA) standard provides the strongest possible guarantee of authentic device identity, preventing credential exfiltration, phishing, and impersonation attacks.
Learn more about the platform
The Smallstep platform helps mitigate numerous cybersecurity threats – from phishing to advanced hardware attacks – without impacting end-user workflows.
Enforce device identity everywhere
Whether you’re working towards a compliance standard, closing gaps in policy enforcement, or preventing nation-state attacks, our team is here to show you how the Device Identity Platform™ can help.