Amazon AWS ACM vs Smallstep Certificate Manager
Looking for automated certificate management for all your internal workloads and developers? Wondering how the offerings stack up? Below is an overview of Amazon AWS ACM PCA capabilities and a side-by-side comparison to Smallstep Certificate Manager.
Overview of capabilities
Amazon AWS ACM PCA is a hosted certificate authority designed to work well with other Amazon services. It is a good option if all your workloads and services run inside AWS. It’s well integrated with load balancers and core services and can provide automated certificates for some of the Amazon cloud services. However, once you step outside of AWS things, get difficult. It lacks automation around authenticated issuance (more on that below) and cannot build longer PKI chains (which help in complex multi-cloud environments). AWS ACM PCA is licensed by the number of CAs and certificates with discounted certificate charges at higher volumes.
From a technology perspective, Amazon’s primary deficiencies are around certificate management. It lacks many automated authorization methods, thus requiring operators to spend time creating certificates. Because of the manual nature of certificate creation, longer expiry times are used to avoid busy work in the future. Per certificate charges also extend certificate lifetimes, providing another incentive towards poor security practices. With smallstep, we provide end-to-end certificate management for developers and operators. We authorize and automate the lifecycle and reduce certificate lifetimes allowing your developers to move quickly and securely.
Detailed comparison
| Category | Item | Certificate Manager | Amazon ACMPCA |
|---|---|---|---|
| General | Form Factor | SaaS or On-Premise | SaaS only |
| General | Managed By | Smallstep | Amazon |
| General | Administration | UI / CLI | UI / CLI |
| General | Highly-available Certificate Authority | ||
| General | Short-lived certificates with automated renewal | ||
| General | Private keys in cloud KMS | ||
| General | Private Keys in dedicated in HSM | ||
| General | Open source certificate authority | ||
| General | Cloud managed, on-prem signing CA | ||
| General | Run anywhere Registration Authority | ||
| Authenticated Issuance | Authenticated certificate issuance | ||
| Authenticated Issuance | ACME DNS, HTTP, ALPN, IP, and EAB challenges | ||
| Authenticated Issuance | OIDC - bind user email to SAN/name for developer access | ||
| Authenticated Issuance | OIDC - Admin user create any SAN/name for custom certificate | ||
| Authenticated Issuance | OIDC - SSO identity token or device auth grant workflows | ||
| Authenticated Issuance | AWS, GCP, Azure instance identity docs for cloud infrastructure | ||
| Authenticated Issuance | Existing valid certificate for derived credentials | ||
| Authenticated Issuance | JWK for password, one-time token, or multi-use token authentication | ||
| Authenticated Issuance | API for a certificate | ||
| Authenticated Issuance | Issue cert via UI | Coming Soon | |
| Authorize & Customize | Templatized customization of certificates | ||
| Authorize & Customize | Template customization - UI | Coming Soon | |
| Authorize & Customize | Template customization - CLI | ||
| Authorize & Customize | Inventories - metadata enrichment or access control | Coming Soon | |
| Authorize & Customize | Use metadata to authorize certificate issuance | Coming Soon | |
| Authorize & Customize | Enrich CSR metadata with 3rd party directory | Coming Soon | |
| Authorize & Customize | Name constraints on Authority | ||
| Authorize & Customize | Allow / deny lists on provisioners | ||
| Observability | Issued certificates details in UI | ||
| Observability | Expiry events via webhook event | ||
| Observability | Expiry events via email | ||
| Observability | Export to webhook / SIEM | CloudWatch? | |
| Observability | Ability to renew certificate | ||
| Renewal | single command renewal | ||
| Renewal | SystemD timers | ||
| Renewal | Stand-alone daemon | ||
| Renewal | Cron Jobs | ||
| Renewal | ACME Challenges | ||
| Renewal | OIDC - Single Sign-on flow | ||
| Renewal | Configuration Management | ||
| Renewal | API for renewal | ||
| Renewal | Renew after expiry | ||
| Renewal | Manual renewal by Admin | ||
| Revocation | Passive Revocation | ||
| Revocation | Active Revocation - CRL | ||
| Revocation | Active Revocation - OCSP | ||
| Revocation | Validation Authority |
Data as of July 1st, 2021
Create your private hosted Certificate Authority in less than five minutes