All About TPMs
By Carl Tashian
Let's explore the Trusted Platform Module (TPM), a standardized crypto processor chip that has recently become ubiquitous in our devices.
Read More >
Access your homelab from anywhere with a YubiKey and mutual TLS
By Carl Tashian
By combining YubiKey’s smart card support with mutual TLS client certificates, hardware-bound private keys, and device attestation, you can expose your homelab to the internet in a way that carries very low security risk.
Read More >
Secretless TLS client certificates in GitHub Actions
By Carl Tashian
With GitHub Actions OIDC tokens and Smallstep Certificate Manager, you can access protected internal resources like cloud services, databases, websites, or Kubernetes clusters using short-lived TLS certificates and no hard-coded secrets!
Read More >
ACME Device Attestation Explained
By Carl Tashian
The shift from SCEP to ACME device attestation is a boon for endpoint security.
Read More >
How to use ACME to authenticate to AWS
By Carl Tashian
Stop managing and rotating AWS IAM credentials in your workloads. IAM now lets you delegate AWS authentication to an ACME Certificate Authority.
Read More >
The magic of systemd-creds
By Carl Tashian
With systemd-creds, hardware-protected secrets just got a lot easier in Linux
Read More >
If OpenSSL were a GUI
By Carl Tashian
What if OpenSSL were a GUI program? Here's what it might look like.
Read More >
Automatic TLS in Kubernetes The Hard Way
By Carl Tashian
We integrated the Smallstep toolchain into Kelsey Hightower's excellent tutorial, Kubernetes The Hard Way.
Read More >
Cheating my way to success
By Carl Tashian
As I round the bend on two years at Smallstep, I have to ask myself: Why is this going so well?
Read More >
Automating TLS certificate management in Docker
By Carl Tashian
We researched how dozens of Docker services handle TLS certificates, and developed a few patterns for automating certificate management in container environments.
Read More >
Securing MongoDB With TLS (Part 1 of 3)
By Carl Tashian
Part one of a three part series on securing MongoDB with TLS: How to set up a Certificate Authority for MongoDB servers and clients.
Read More >
Securing MongoDB With TLS (Part 2 of 3)
By Carl Tashian
Part two of a three part series on securing MongoDB with TLS: Configuring MongoDB with server and client TLS validation.
Read More >
Securing MongoDB With TLS (Part 3 of 3)
By Carl Tashian
The last in a three part series on securing MongoDB: Setting up a cluster TLS with X509 user authentication.
Read More >
New Release of Smallstep ACME RA: Automating internal TLS with ACME + Google CAS
By Carl Tashian
We're excited to announce a new release of our HSM-backed cloud ACME server, the Smallstep ACME Registration Authority for Google CA Services.
Read More >
Grafana for homelab monitoring—with mTLS!
By Carl Tashian
We set up mutual TLS between five services for secure homelab monitoring with Grafana, Prometheus, Loki, Promtail, and node_exporter.
Read More >
How to Handle Secrets on the Command Line
By Carl Tashian
How to keep secret credentials safe on the command line.
Read More >
How to use step-ca with Hardware Security Modules (HSMs)
By Carl Tashian
How to use a PKCS #11 HSM with step-ca to protect your private keys
Read More >
Build a Tiny Certificate Authority For Your Homelab
By Carl Tashian
Let's make a tiny, standalone CA! We'll use a Raspberry Pi 4, YubiKey 5 NFC, and Infinite Noise TRNG.
Read More >
The Embarrassing State of Enterprise ACME Support
By Carl Tashian
ACME is a great protocol for internal certificate management, but enterprise software is not yet ready.
Read More >
Clever Uses of SSH Certificate Templates
By Carl Tashian
We added SSH certificate templates to step-ca, and it opened up some unexpected opportunities.
Read More >
Introducing Smallstep ACME RA: Automating internal TLS with ACME + Google CAS
By Carl Tashian
We're excited to announce our new HSM-backed cloud ACME server, the Smallstep ACME Registration Authority for Google CA Services.
Read More >
Announcing X.509 Certificate Flexibility
By Carl Tashian
We've added X.509 certificate templates to Step Certificates
Read More >
DIY SSH Bastion Host
By Carl Tashian
How to create and deploy a simple and minimal bastion host on Ubuntu 20.04 LTS.
Read More >
SSH Emergency Access
By Carl Tashian
Learn how to prepare for emergency access to your SSH hosts.
Read More >
The Poetics of CLI Command Names
By Carl Tashian
Naming a CLI command requires deep and careful deliberation.
Read More >
SSH Agent Explained
By Carl Tashian
The SSH agent acts behind the scenes to keep you safe. Here's how it works.
Read More >
SSH Tips & Tricks
By Carl Tashian
A few of our favorite SSH tricks and tips sure to improve your daily experience.
Read More >
DIY Single Sign-On for SSH
By Carl Tashian
Let's set up Google SSO for SSH! We’ll use OpenID Connect (OIDC), SSH certificates, a clever SSH configuration tweak, and Smallstep’s open source packages.
Read More >