End-to-end encryption

Making PKI Easier: What you need to know about Smallstep's new UI


Linda Ikechukwu

Follow Smallstep

Workloads.UI.png Smallstep has built a reputation in the security space as the gold standard in PKI certificate management. We enable teams and organizations, small and large, to create their own Certificate Authorities and to issue certificates seamlessly for use across their infrastructure. We do this on top of step-ca, our open-source certificate toolchain.

At Smallstep, we recognize that for many developers, creating a CA and issuing certificates is only part of the challenge. Today, we are proud to announce we are evolving into an end-to-end encryption platform. Our new Smallstep Platform for end-to-end encryption will enable developers, DevOps engineers, and IT administrators alike, to manage the entire certificate lifecycle. You can now manage different entities within your infrastructure from one place and use TLS encryption to secure everything.

These platform enhancements are coming because we listened to you! We heard that our platform could do more to allow integration with technologies like Nginx servers or PostgreSQL databases that require certificates. You want us to identify the type of entity a certificate is being issued to, manage certificate renewals, and provide insights about the health of those things. Our users often had to create their own tooling for these tasks, but no longer!

Starting with our new Managed Workloads feature, Smallstep now offers agent software for both Linux and Windows devices. This agent software handles device enrollment and workload certificate management for a variety of workloads running on these devices. This major release to the Smallstep platform introduces some new concepts and components. Hopefully this post will help you make sense of these terminologies, what they mean, and what they can do for you.

Some new terminologies you’ll find on the Smallstep platform


First things first, we have grouped things (entities) that we are managing end-to-end certificate lifecycle into three different categories: Devices, Workloads, and People (Users). These three entities are at the core of the new Smallstep platform.

An entity is any singular, identifiable thing that needs a certificate. It is also synonymous with an instance, which refers to a single, identifiable entity (person, device, or workload) for which we manage certificates.

We are initially launching support for Devices and Workloads entities, with support for People entities coming in a future release.


Device entities represent a computing resource that has access to a processor, memory, and can run an operating system and applications.

There are different kinds of Devices, including Virtual Machines (AWS EC2 or Azure VM), or even physical machines like phones or laptops.

The latest update to the Smallstep platform supports the Virtual Machine device category. Support for other types of Devices are coming!


Workloads refer to a specific application, service, program or other resource that runs on a device and consumes compute and/or storage.

Workloads run on a device, and many workloads can run on a single device. Workload examples include an Ngnix server, MySQL database, GitHub action, a Kubernetes Ingress and so on.


A Collection is a named grouping of a specific type of entity, with shared configurations or policies. There can be zero to n of these specific entities in a collection.

An entity type is a specialized variant of a kind of entity. For example, AWS VMs, Azure VMs, GCP VMs, and Linux laptops are different types of Devices. On the other hand, Nginx servers, Postgres databases, and Golang microservices are different types of Workloads. So, you can have multiple AWS VMs, each running an Nginx server which hosts a duplicate of your production website, in a single virtual machine device collection.

Collections are useful for activities such as load balancing or applying shared configurations. For a list of supported workload and device types, please refer to the following link.

On the Smallstep platform, singular entities or instances are created or added within collections. So, on the UI, the hierarchy is: list of collections > list of instances in a specific collection > details of a specific instance. This means that you first create a collection for an entity type and then add individual entities or instances of the same type to that collection.

It’s also worth noting that the same way individual workloads run on individual devices, workload collections run on device collections. For example, you could create a production Ngnix workload collection, which contains two Ngnix servers, each hosting a duplicate version of your production server, hosted on different AWS EC2 instances in the same device collection.

The Smallstep Agent

The Smallstep agent is a lightweight program that runs on devices and manages end-to-end certificate lifecycle for workloads on that device. You have one agent per device, and an agent can manage certificates for different workload types that may be present on a device.

Try out the Managed Workloads feature

We’re kicking off the work towards end-to-end encryption with Managed Workloads. Managed Workloads will allow you to automate certificate issuance and renewal for your workloads through an agent running on the same system (the host) as the workload. Try it out now!

We plan to release over 50 workloads types, and we’d like you, our user or prospective user, to help us prioritize which to release first. Login or sign in to make your opinion count.

About the author: Linda is an educator at heart, and her superpower is demystifying complexity. Since joining SmallStep as a developer advocate, her new mission is now to demystify and educate about PKI and digital certificates :)