How to Run Your Own Private CA—Get Going with the Smallstep Onboarding Utility
For the pragmatists and learn-by-doing people who want to get up and running quickly, we’ve launched a new interactive onboarding utility. It walks through the process of running a private CA and connecting two systems in your infrastructure.
Run your own private CA & ACME server using step-ca
With today’s release (v0.13.0), you can now use ACME to get certificates from step-ca. ACME (RFC8555) is the protocol that Let’s Encrypt uses to automate certificate management for websites. ACME radically simplifies the deployment of TLS and HTTPS by letting you obtain certificates automatically, without human interaction.
Prove you are not human -- Take the ACME Challenge
Automating internet security with the Let’s Encrypt certificate authority has led to the massive acceleration of safe web browsing. As we roll out ACME protocol support and give away some free hoodies, we want to thank Let’s Encrypt and the IETF for making it all possible.
If you’re not using SSH certificates you’re doing SSH wrong
SSH has some pretty gnarly issues when it comes to usability, operability, and security. The good news is this is all easy to fix. SSH is ubiquitous. It’s the de-facto solution for remote administration of *nix systems. SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.
Announcing v0.12.0 of step and step-ca
The big headline feature for this release is the ability to create user and host SSH certificates, allowing you to streamline your SSH infrastructure and processes. No more editing Authorized Keys files for every change in membership and especially no more warnings about “remote host identification changes” which you’re just going to ignore anyways (or is that just me?).
Trust Anchors In Modern Systems; Don’t Overlook The Bottom Turtle
This issue is a discussion about the trust anchor and dependencies of systems. While a clever turtle reference often satisfies the room, getting a real answer to this question is fundamental to modern security practices.
Embarrassingly easy private certificate management for VMs on AWS, GCP, and Azure
step and step-ca (v0.11.0) adds support for cloud instance identity documents (IIDs), making it embarrassingly easy to get certificates to workloads running on public cloud virtual machines (VMs). This post introduces IID-based authentication with step and step-ca, and notes some interesting architectural and security details.
Announcing v0.11.0 of step and step-ca
The big headline feature for this release is instance identity document support but there are a ton of other small improvements in this release including Helm, key types, self-signed certs, group checks for SSO, email SAN, bundling and other upgrades.
Great Minds Really Do Think Alike! No really, they do!
I found an inarguable topic in the most unlikely of places, deep in the conversations between cyber-security experts. The third edition of the Modern Security for Leaders series.
Traffic, Bridge Tolls, and Secure Browsing - How Automation Secures The Internet
In this post, we will explore how successful public internet practices provide a set of instructions for how the industry should be thinking about securing internal systems. The second edition of the Modern Security for Leaders series.
Instincts, Fast Cars, and Modern Security - Why I Joined smallstep
smallstep’s vision is centered on modernizing security practices using the best available technology to solve security challenges. Now you’re probably saying (as I was at this point), there are hundreds of companies out there spending billions of dollars on modernizing practices. How much market is really left for a scrappy startup? Turns out a lot!
Good certificates die young: what's passive revocation and how's it implemented?
If you’re a normal human person you probably don’t think much about certificate revocation. This post will help you justify your apathy. It will explain why your indifference is, in fact, the technically correct attitude to have regarding this particular detail of your system’s security architecture.
Step v0.9.0: Curl mTLS services with SSO certificates via OAuth OpenID Connect
Introducing step v0.9.0: Most enterprise IAM systems expose OpenID Connect (a suite of single-sign-on protocols that allow the creation of accounts and login into third party applications using a single account per user identity). In step v0.9.0 you can now leverage OpenID Connect to authenticate with step certificates to make issuance of personal certificates simple.
Step v0.8.6: Bring development closer to production with valid HTTPS certificates
Almost 80% of web page loads now use TLS. But almost no one uses TLS in development and pre-production. Why? Because it’s hard. That sucks. When dev and staging don’t match prod, bad things happen. Today’s step release, version 0.8.6, makes using TLS in dev & pre-prod environments a whole lot easier.
Step v0.8.3: Federation and Root Rotation for step Certificates
The purpose of federation is to allow for secure communication across autonomous systems (e.g., across clouds or between kubernetes clusters). In this post, we’ll take a closer look into how federation works and how the step toolkit expands robust identity bootstrapping beyond a single Kubernetes cluster, cloud, or VM without getting bogged down by operational challenges.
Introducing step Certificates, secure, automated certificate management
Introducing step Certificates, an open-source project that makes secure automated certificate management easy, so you can use TLS and easily access anything, running anywhere, from everywhere. But step certificates is more than a certificate authority. It provides all the missing bits you need to run your own internal public key infrastructure (PKI).
Everything you should know about certificates and PKI but are too afraid to ask
Certificates and public key infrastructure (PKI) are hard. No shit, right? I know a lot of smart people who’ve avoided this particular rabbit hole. Eventually, I was forced to learn this stuff because of what it enables: PKI lets you define a system cryptographically. It’s universal and vendor-neutral yet poorly documented. This is the missing manual.
The case for using TLS everywhere

The case for using TLS everywhere

By: Mike Malone

This post has a simple purpose: to persuade you to use TLS everywhere. By everywhere, I mean everywhere. Not just for the public internet, but for every internal service-to-service request. Not just between clouds or regions. Everywhere. Even inside production perimeters like VPCs. I suspect this will elicit a range of reactions from apathy to animosity. Regardless, read on.
Step: A New Zero Trust Swiss Army Knife from Smallstep
A better security model exists. Instead of relying on IP and MAC addresses to determine access we can cryptographically authenticate the identity of people and software making requests. It’s a simple concept, really: what matters is who or what is making a request, not where a request comes from. In short, access should be based on production identity.