Blog
Filter by Tags:
Filter by Author:
Have you ever wondered how to securely enroll a brand new phone or laptop onto your network and with your PKI? In this post we describe ACME Device Attestation, which uses a strong cryptographic proof of identity to request a client certificate from an internal PKI. It is set to replace SCEP as the premier method for enrolling with a CA. We’re very excited about it, and you should be too.
Making our toolchain work on the web using WebAssembly
By: Herman Slatman
WebAssembly is a great technology for porting existing applications to run on a web page. Read along to learn what we had to do to compile our
step toolchain to WebAssembly and make it usable on the web.
By: Linda Ikechukwu
Although SSH certificates are the most secure way to regulate SSH access, they are underutilised. They’re also frequently confused with X.509 (aka TLS) certificates. This article explains what SSH certificates are, why you should be using them, and how they differ from their more popular X.509 counterparts.
How to use ACME to authenticate to AWS
By: Carl Tashian
Stop managing and rotating AWS IAM credentials in your workloads. IAM now lets you delegate AWS authentication to an ACME Certificate Authority.
By: Carl Tashian
With systemd-creds, hardware-protected secrets just got a lot easier in Linux
Welcome to Smallstep Certificate Manager
By: Mike Maxey
Today is the first step in the Certificate Manager journey. We delivered the core platform to make users successful and are excited to see what you will do with it.
By: Carl Tashian
What if OpenSSL were a GUI program? Here’s what it might look like.
Automatic TLS in Kubernetes The Hard Way
By: Carl Tashian
We added certificate automation to Kubernetes The Hard Way.
How we got here, and where we are headed
By: Mike Malone
We have secured our seed and Series A funding - this is a huge thank you to our investors and our community who believe in us and continue to help us make Production Identity a reality.
By: Carl Tashian
After two years at Smallstep, Carl reflects on creative flow
Automating TLS certificate management in Docker
By: Carl Tashian
We researched how dozens of Docker services handle TLS certificates, and developed a few patterns for automating certificate management in container environments.
Securing MongoDB With TLS (Part 1 of 3)
By: Carl Tashian
Part one of a three part series on securing MongoDB with TLS: How to set up a Certificate Authority for MongoDB servers and clients.
Securing MongoDB With TLS (Part 2 of 3)
By: Carl Tashian
Part two of a three part series on securing MongoDB with TLS: Configuring MongoDB with server and client TLS validation.
Securing MongoDB With TLS (Part 3 of 3)
By: Carl Tashian
The last in a three part series on securing MongoDB: Setting up a cluster TLS with X509 user authentication.
We’re excited to announce a new release of our HSM-backed cloud ACME server, the Smallstep ACME Registration Authority for Google CA Services.
A step-by-step guide to securing Istio and Kubernetes workloads using an open-source private certificate authority.
Grafana for homelab monitoring—with mTLS!
By: Carl Tashian
We set up mutual TLS between five services for secure homelab monitoring with Grafana, Prometheus, Loki, Promtail, and node_exporter.
How to Handle Secrets on the Command Line
By: Carl Tashian
How to keep secret credentials safe on the command line.
How to use step-ca with Hardware Security Modules (HSMs)
By: Carl Tashian
How to use a PKCS #11 HSM with
step-ca to protect your private keys
2020 Certificate Management Survey Results
By: Mike Maxey
Internal PKI continues to be essential but struggles with modern practices. But don’t worry, there is hope.
Build a Tiny Certificate Authority For Your Homelab
By: Carl Tashian
Let’s make a tiny, standalone CA! We’ll use a Raspberry Pi 4, YubiKey 5 NFC, and Infinite Noise TRNG.
The Embarrassing State of Enterprise ACME Support
By: Carl Tashian
ACME is a great protocol for internal certificate management, but enterprise software is not yet ready.
Clever Uses of SSH Certificate Templates
By: Carl Tashian
We added SSH certificate templates to step-ca, and it opened up some unexpected opportunities.
We’re excited to announce our new HSM-backed cloud ACME server, the Smallstep ACME Registration Authority for Google CA Services.
Announcing X.509 Certificate Flexibility
By: Carl Tashian
We’ve added X.509 certificate templates to Step Certificates
🤦♂️ Facepalm Lesson One: The Delayed Aha Moment
By: Mike Maxey
What became clear in our product-led research is that we made a few mishaps. And there was one in particular that we wanted to fix ASAP. A series of go-to-market learnings and mishaps from smallstep.
By: Carl Tashian
How to create and deploy a simple and minimal bastion host on Ubuntu 20.04 LTS.
By: Carl Tashian
Learn how to prepare for emergency access to your SSH hosts.
The Poetics of CLI Command Names
By: Carl Tashian
Naming a CLI command requires deep and careful deliberation.
By: Carl Tashian
The SSH agent acts behind the scenes to keep you safe. Here’s how it works.
By: Carl Tashian
A few of our favorite SSH tricks and tips sure to improve your daily experience.
By: Mike Malone
It took a lot of late nights and weekends to get here. I’m incredibly thankful for the work of our fantastic team, early access customers, and to their families for behind the scenes support. Today, we’re excited to announce the output of that work: the general availability of Smallstep SSH Professional Edition.
By: Carl Tashian
Let’s set up Google SSO for SSH! We’ll use OpenID Connect (OIDC), SSH certificates, a clever SSH configuration tweak, and Smallstep’s open source packages.
Announcing v0.14.2 of step and step-ca
By: Max Furman
The big headline features for this release are the initial support for Microsoft Windows
step clients and first-class support for a single sign-on SSH certificate authority.
Video recording of the 10-minute lightning talk from Mike Malone on using SSH Certificates. This was recorded at BSidesSF 2020.
For the pragmatists and learn-by-doing people who want to get up and running quickly, we’ve launched a new interactive onboarding utility. It walks through the process of running a private CA and connecting two systems in your infrastructure.
Run your own private CA & ACME server using step-ca
By: Mike Malone
With today’s release (v0.13.0), you can now use ACME to get certificates from step-ca. ACME (RFC8555) is the protocol that Let’s Encrypt uses to automate certificate management for websites. ACME radically simplifies the deployment of TLS and HTTPS by letting you obtain certificates automatically, without human interaction.
Prove you are not human -- Take the ACME Challenge
By: Mike Maxey
Automating internet security with the Let’s Encrypt certificate authority has led to the massive acceleration of safe web browsing. As we roll out ACME protocol support and give away some free hoodies, we want to thank Let’s Encrypt and the IETF for making it all possible.
If you’re not using SSH certificates you’re doing SSH wrong
By: Mike Malone
SSH has some pretty gnarly issues when it comes to usability, operability, and security. The good news is this is all easy to fix. SSH is ubiquitous. It’s the de-facto solution for remote administration of *nix systems. SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.
Announcing v0.12.0 of step and step-ca
By: Max Furman
The big headline feature for this release is the ability to create user and host SSH certificates, allowing you to streamline your SSH infrastructure and processes. No more editing Authorized Keys files for every change in membership and especially no more warnings about “remote host identification changes” which you’re just going to ignore anyways (or is that just me?).
This issue is a discussion about the trust anchor and dependencies of systems. While a clever turtle reference often satisfies the room, getting a real answer to this question is fundamental to modern security practices.
step and step-ca (v0.11.0) adds support for cloud instance identity documents (IIDs), making it embarrassingly easy to get certificates to workloads running on public cloud virtual machines (VMs). This post introduces IID-based authentication with step and step-ca, and notes some interesting architectural and security details.
Announcing v0.11.0 of step and step-ca
By: Max Furman
The big headline feature for this release is instance identity document support but there are a ton of other small improvements in this release including Helm, key types, self-signed certs, group checks for SSO, email SAN, bundling and other upgrades.
Great Minds Really Do Think Alike! No really, they do!
By: Mike Maxey
I found an inarguable topic in the most unlikely of places, deep in the conversations between cyber-security experts. The third edition of the Modern Security for Leaders series.
In this post, we will explore how successful public internet practices provide a set of instructions for how the industry should be thinking about securing internal systems. The second edition of the Modern Security for Leaders series.
smallstep’s vision is centered on modernizing security practices using the best available technology to solve security challenges. Now you’re probably saying (as I was at this point), there are hundreds of companies out there spending billions of dollars on modernizing practices. How much market is really left for a scrappy startup? Turns out a lot!
If you’re a normal human person you probably don’t think much about certificate revocation. This post will help you justify your apathy. It will explain why your indifference is, in fact, the technically correct attitude to have regarding this particular detail of your system’s security architecture.
Introducing step v0.9.0: Most enterprise IAM systems expose OpenID Connect (a suite of single-sign-on protocols that allow the creation of accounts and login into third party applications using a single account per user identity). In step v0.9.0 you can now leverage OpenID Connect to authenticate with step certificates to make issuance of personal certificates simple.
Step v0.8.6: Bring development closer to production with valid HTTPS certificates
By: Sebastian Tiedtke
Almost 80% of web page loads now use TLS. But almost no one uses TLS in development and pre-production. Why? Because it’s hard. That sucks. When dev and staging don’t match prod, bad things happen. Today’s step release, version 0.8.6, makes using TLS in dev & pre-prod environments a whole lot easier.
Step v0.8.3: Federation and Root Rotation for step Certificates
By: Sebastian Tiedtke
The purpose of federation is to allow for secure communication across autonomous systems (e.g., across clouds or between kubernetes clusters). In this post, we’ll take a closer look into how federation works and how the step toolkit expands robust identity bootstrapping beyond a single Kubernetes cluster, cloud, or VM without getting bogged down by operational challenges.
Introducing step Certificates, an open-source project that makes secure automated certificate management easy, so you can use TLS and easily access anything, running anywhere, from everywhere. But step certificates is more than a certificate authority. It provides all the missing bits you need to run your own internal public key infrastructure (PKI).
Certificates and public key infrastructure (PKI) are hard. No shit, right? I know a lot of smart people who’ve avoided this particular rabbit hole. Eventually, I was forced to learn this stuff because of what it enables: PKI lets you define a system cryptographically. It’s universal and vendor-neutral yet poorly documented. This is the missing manual.
The case for using TLS everywhere
By: Mike Malone
This post has a simple purpose: to persuade you to use TLS everywhere. By everywhere, I mean everywhere. Not just for the public internet, but for every internal service-to-service request. Not just between clouds or regions. Everywhere. Even inside production perimeters like VPCs. I suspect this will elicit a range of reactions from apathy to animosity. Regardless, read on.
Step: A New Zero Trust Swiss Army Knife from Smallstep
By: Mike Malone
A better security model exists. Instead of relying on IP and MAC addresses to determine access we can cryptographically authenticate the identity of people and software making requests. It’s a simple concept, really: what matters is who or what is making a request, not where a request comes from. In short, access should be based on production identity.