ACME Registration Authority

Automate certificates across the enterprise


Issue certificates without human interaction

Smallstep ACME Registration Authority (RA) brings ACME protocol support to existing PKI environments, allowing you to automate certificate enrollment and renewal using ACME-compliant clients like certbot, Terraform, Caddy, and Kubernetes cert-manager.

Smallstep ACME RA acts narrowly as a registration authority, accepting ACME certificate orders and authenticating certificate requests by verifying an ACME challenge. Smallstep ACME RA does not sign certificates itself. Instead, certificate requests are passed to existing PKI to sign and catalog.


Stop manually renewing X.509 certificates in your internal PKI


Works where you do

Benefit from the ACME ecosystem and automate certificates across the enterprise.

Available today with Certificate Manager or on the GCP Marketplace.


Easily issue certificates to modern systems

Bridge modern infrastructure to existing PKI mechanisms and controls

Certificates are trusted by anything that trusts your existing PKI root certificate


No more manual certificate issuance

Automate certificates while keeping centralized control

Certificate requests are signed and cataloged by your existing internal PKI


Ditch the certificate monitoring tools

Stop paying for expensive certificate monitoring tools

Renewal is automated, so certificates never expire


Securely issue and audit certificates

Issued certificates appear in your existing PKI console and audit logs

Security-sensitive signing keys are never seen by the Smallstep ACME Registration Authority



Bridge domains, networks, or clouds and issue internally trusted certificates

Connect Linux to Windows without replacing existing security mechanisms

Try it with Smallstep Certificate Manager

Show me how

Click to deploy and go

Add ACME support to your existing PKI

Request a pki provider

Let us know where to build next

Setup ACME Support in Minutes

ACME (RFC 8555) is the protocol that Let’s Encrypt uses to automate certificate management for websites. With ACME, activities like CSR generation, domain ownership verification, certificate download, and installation are completely automated.

  • No more manual certificate management and configuration.
  • No more outages due to certificate expiry.

Due to these advantages, ACME is used to deliver more than 80% of certificates on the web, and a robust ecosystem of ACME-compliant clients and libraries has developed.

Smallstep ACME RA is built on step-ca, the only open source ACME server built for production use. Smallstep worked closely with Let’s Encrypt and the open source client ecosystem to ensure broad support with step-ca. Most ACME clients connect to the publicly trusted Let’s Encrypt certificate authority by default. But it’s very likely that whatever ACME client(s) you choose to use has already been documented and thoroughly tested to work with step-ca.

  • Supports all of the ACME challenge types supported by Let’s Encrypt (HTTP, DNS, ALPN).
  • Documented and thoroughly tested to work with popular ACME clients.

Smallstep ACME RA runs within your network or VPC. That means it can respond to ACME requests from internal infrastructure and workloads. This integration brings all of the benefits of ACME to your internal infrastructure.

The Smallstep ACME RA accepts ACME certificate orders and authenticates certificate requests by verifying an ACME challenge. Upon verification, certificate signing requests are passed to your existing PKI to sign and catalog.

  • Issued certificates are trusted by anything that trusts your PKI root certificate.
  • Issued certificates appear in your PKI console and audit logs.
  • Security-sensitive signing keys are managed by your existing PKI and never seen by Smallstep ACME RA.

Smallstep ACME RA is built and supported by Smallstep, the company behind the open source step-ca certificate management toolchain. It builds on the open source step-ca project, adding click-to-deploy integrations with popular PKI systems, updates, and support.