The smallstep blog

June 6, 2019

Great Minds Really Do Think Alike!

Use TLS for enterprise defense-in-depth. The third edition of the Modern Security for Leaders series

May 23, 2019

Traffic, Bridge Tolls, and Secure Browsing - How Automation Helps Secure The Internet

Using automation to improve bridge traffic and internet security. The second edition of the Modern Security for Leaders series

May 16, 2019

Instincts, Fast Cars, and Modern Security - Why I Joined smallstep

Leaping headfirst into building identity-driven security for developers, security, and operations teams. Introducing the Modern Security for Leaders series.

May 2, 2019

Good certificates die young: what's passive revocation and how's it implemented?

If you're a normal human person you probably don't think much about certificate revocation. This post will help you justify your apathy. It will explain why your indifference is, in fact, the technically correct attitude to have regarding this particular detail of your system's security architecture.

March 27, 2019

Step v0.9.0: easily curl services secured by mutual TLS and more

Unlike an inventory of machines or services, user identities are usually already managed by existing G-Suite, Okta, Salesforce, or Microsoft Office 365. Almost all of these enterprise services expose OpenID Connect identity providers which are a suite of single-sign-on protocols that allow creation of accounts and login into third party applications using a single account per user identity. In step v0.9.0 you can now leverage OpenID Connect to authenticate with step certificates to make issuance of personal certificates simple for your whole team.

February 25, 2019

Step v0.8.6: valid HTTPS certificates for dev & pre-prod (and more)

Almost 80% of web page loads now use TLS. But almost no one uses TLS in development and pre-production. Why? Because it's hard. That sucks. When dev and staging don't match prod, bad things happen. Today's step release, version 0.8.6, makes using TLS in dev & pre-prod environments a whole lot easier.

January 28, 2019

Step v0.8.3 brings Federation & Root Rotation

We are excited to start the New Year off with a new release (v0.8.3) of step certificates, the powerful open source certificate management solution. Amongst regular bug fixes, we’ve included some exciting new features!

December 11, 2018

Step Certificates

At smallstep we've been focused, lately, on building technology that makes it easier for you to access your stuff. As things stand today, access is really hard. It's really hard for developers to access internal services in production and pre-production environments (e.g., to debug using curl). It's really hard for your stuff running in AWS to access your stuff running in GCP and vice-versa. It's really hard for employees to access enterprise IT applications from their iPhones while they're on the bus heading into work. Supporting these use cases, and dozens more like it, is so hard that it's often not done. Access that would make people more productive, make systems better, reduce costs, improve performance, and generally improve software and employee well-being is simply denied. That sucks.

December 11, 2018

Everything you should know about certificates and PKI but are too afraid to ask

Certificates and public key infrastructure (PKI) are hard. No shit, right? I know a lot of smart people who've avoided this particular rabbit hole. Personally, I avoided it for a long time and felt some shame for not knowing more. The obvious result was a vicious cycle: I was too embarrassed to ask questions so I never learned. Eventually I was forced to learn this stuff because of what it enables: PKI lets you define a system cryptographically. It's universal and vendor neutral. It works everywhere so bits of your system can run anywhere and communicate securely. It's conceptually simple and super flexible. It lets you use TLS and ditch VPNs. You can ignore everything about your network and still have strong security characteristics. It's pretty great.

November 20, 2018


This post has a simple purpose: to persuade you to use TLS everywhere. By everywhere, I mean everywhere. Not just for traffic coming from the public internet to your website and APIs, but for every internal service-to-service request. Not just between clouds or regions. Everywhere. Even inside production perimeters like VPCs. I suspect this recommendation will elicit a range of reactions from apathy to animosity. Regardless, please read on. Using TLS everywhere has a wide range of benefits. Perhaps surprisingly, some of the most compelling benefits have nothing to do with security.

August 7, 2018

Step: A New Zero Trust Swiss Army Knife from Smallstep

The way most software systems are secured today is fundamentally flawed. They rely on “perimeter” security: a firewall guarding access to a protected network. Inside the perimeter traffic is mostly trusted. This paradigm relies on assumptions that nobody actually believes are true: that people are never careless or dishonest and never make mistakes. One slip up that allows an attacker inside the perimeter and it’s game over.

Leverage Smallstep's technology to unlock the many benefits of using TLS everywhere to connect across clouds and easily access services and applications in the cloud-native age. Subscribe for infrequent updates and announcements.

Subscribe to our mailing list or drop us a line

smallstep is hiring - open positions