Carl Tashian

Upgraded key protection is a popular Silicon Valley folk remedy for CISO insomnia

We've created a device authentication factor for Okta.

At WWDC24, Apple announced Private Cloud Compute. Relying heavily on crytographic attestation, it raises the bar on cloud privacy and security.

In this post, Carl covers the real-world challenges of release engineering that we've encountered publishing our popular open-source packages over the past 5 years.

For our 2023 holiday project, we're setting up an WPA3 Enterprise certificate-authenticated Wi-Fi network at home! And when your family from out of town asks to "jump on the Wi-Fi real quick," you'll learn why this type of network is such a hassle to manage.

In this tutorial, we will set up the Smallstep Agent on an Ubuntu/Debian Linux VM, and use it to manage TLS certificates for a Redis workload.

Let's explore the Trusted Platform Module (TPM), a standardized crypto processor chip that has recently become ubiquitous in our devices.

By combining YubiKey’s smart card support with mutual TLS client certificates, hardware-bound private keys, and device attestation, you can expose your homelab to the internet in a way that carries very low security risk.

With GitHub Actions OIDC tokens and Smallstep Certificate Manager, you can access protected internal resources like cloud services, databases, websites, or Kubernetes clusters using short-lived TLS certificates and no hard-coded secrets!

The shift from SCEP to ACME device attestation is a boon for endpoint security.

Stop managing and rotating AWS IAM credentials in your workloads. IAM now lets you delegate AWS authentication to an ACME Certificate Authority.

With systemd-creds, hardware-protected secrets just got a lot easier in Linux

What if OpenSSL were a GUI program? Here's what it might look like.

We integrated the Smallstep toolchain into Kelsey Hightower's excellent tutorial, Kubernetes The Hard Way.

As I round the bend on two years at Smallstep, I have to ask myself: Why is this going so well?

We researched how dozens of Docker services handle TLS certificates, and developed a few patterns for automating certificate management in container environments.

Part one of a three part series on securing MongoDB with TLS: How to set up a Certificate Authority for MongoDB servers and clients.

Part two of a three part series on securing MongoDB with TLS: Configuring MongoDB with server and client TLS validation.

The last in a three part series on securing MongoDB: Setting up a cluster TLS with X509 user authentication.

We're excited to announce a new release of our HSM-backed cloud ACME server, the Smallstep ACME Registration Authority for Google CA Services.

We set up mutual TLS between five services for secure homelab monitoring with Grafana, Prometheus, Loki, Promtail, and node_exporter.

How to keep secret credentials safe on the command line.

How to use a PKCS #11 HSM with step-ca to protect your private keys

Let's make a tiny, standalone CA! We'll use a Raspberry Pi 4, YubiKey 5 NFC, and Infinite Noise TRNG.

ACME is a great protocol for internal certificate management, but enterprise software is not yet ready.

We added SSH certificate templates to step-ca, and it opened up some unexpected opportunities.

We're excited to announce our new HSM-backed cloud ACME server, the Smallstep ACME Registration Authority for Google CA Services.

We've added X.509 certificate templates to Step Certificates

How to create and deploy a simple and minimal bastion host on Ubuntu 20.04 LTS.

Learn how to prepare for emergency access to your SSH hosts.

Naming a CLI command requires deep and careful deliberation.

The SSH agent acts behind the scenes to keep you safe. Here's how it works.

A few of our favorite SSH tricks and tips sure to improve your daily experience.

Let's set up Google SSO for SSH! We’ll use OpenID Connect (OIDC), SSH certificates, a clever SSH configuration tweak, and Smallstep’s open source packages.