Amazon AWS ACM vs Smallstep Certificate Manager

Looking for automated certificate management for all your internal workloads and developers? Wondering how the offerings stack up? Below is an overview of Amazon AWS ACM PCA capabilities and a side-by-side comparison to Smallstep Certificate Manager.

Create an Authority

Overview of capabilities

Amazon AWS ACM PCA is a hosted certificate authority designed to work well with other Amazon services. It is a good option if all your workloads and services run inside AWS. It’s well integrated with load balancers and core services and can provide automated certificates for some of the Amazon cloud services. However, once you step outside of AWS things, get difficult. It lacks automation around authenticated issuance (more on that below) and cannot build longer PKI chains (which help in complex multi-cloud environments). AWS ACM PCA is licensed by the number of CAs and certificates with discounted certificate charges at higher volumes.

From a technology perspective, Amazon’s primary deficiencies are around certificate management. It lacks many automated authorization methods, thus requiring operators to spend time creating certificates. Because of the manual nature of certificate creation, longer expiry times are used to avoid busy work in the future. Per certificate charges also extend certificate lifetimes, providing another incentive towards poor security practices. With smallstep, we provide end-to-end certificate management for developers and operators. We authorize and automate the lifecycle and reduce certificate lifetimes allowing your developers to move quickly and securely.

Detailed comparison

CategoryItemCertificate ManagerAmazon ACMPCA
GeneralForm FactorSaaS or On-PremiseSaaS only
GeneralManaged BySmallstepAmazon
GeneralAdministrationUI / CLIUI / CLI
GeneralHighly-available Certificate Authority
GeneralShort-lived certificates with automated renewal
GeneralPrivate keys in cloud KMS
GeneralPrivate Keys in dedicated in HSM
GeneralOpen source certificate authority
GeneralCloud managed, on-prem signing CA
GeneralRun anywhere Registration Authority
Authenticated IssuanceAuthenticated certificate issuance
Authenticated IssuanceACME DNS, HTTP, ALPN, IP, and EAB challenges
Authenticated IssuanceOIDC - bind user email to SAN/name for developer access
Authenticated IssuanceOIDC - Admin user create any SAN/name for custom certificate
Authenticated IssuanceOIDC - SSO identity token or device auth grant workflows
Authenticated IssuanceAWS, GCP, Azure instance identity docs for cloud infrastructure
Authenticated IssuanceExisting valid certificate for derived credentials
Authenticated IssuanceJWK for password, one-time token, or multi-use token authentication
Authenticated IssuanceAPI for a certificate
Authenticated IssuanceIssue cert via UIComing Soon
Authorize & CustomizeTemplatized customization of certificates
Authorize & CustomizeTemplate customization - UIComing Soon
Authorize & CustomizeTemplate customization - CLI
Authorize & CustomizeInventories - metadata enrichment or access controlComing Soon
Authorize & CustomizeUse metadata to authorize certificate issuanceComing Soon
Authorize & CustomizeEnrich CSR metadata with 3rd party directoryComing Soon
Authorize & CustomizeName constraints on Authority
Authorize & CustomizeAllow / deny lists on provisioners
ObservabilityIssued certificates details in UI
ObservabilityExpiry events via webhook event
ObservabilityExpiry events via email
ObservabilityExport to webhook / SIEMCloudWatch?
ObservabilityAbility to renew certificate
Renewalsingle command renewal
RenewalSystemD timers
RenewalStand-alone daemon
RenewalCron Jobs
RenewalACME Challenges
RenewalOIDC - Single Sign-on flow
RenewalConfiguration Management
RenewalAPI for renewal
RenewalRenew after expiry
RenewalManual renewal by Admin
Revocation Passive Revocation
Revocation Active Revocation - CRL
Revocation Active Revocation - OCSP
Revocation Validation Authority

Data as of July 1st, 2021

Smallstep logo

Create your private hosted Certificate Authority in less than five minutes

Sign up