How Step-CA is Revolutionizing Automated Certificate Management


Linda Ikechukwu

Follow Smallstep

Smallstep’s mission is to enable teams use TLS everywhere for end-to-end encryption. We exist to empower teams to use short-lived TLS certificates to encrypt and authenticate communications between all devices, workloads, and people within their workforce, so they can truly build and operate distributed systems. Whether it's AWS EC2 instances, an IoT fleet, an NGINX web server, a Postgres database, or an MDM deployment, we’ll encrypt all the communication within your infrastructure and create a cryptographic perimeter around your resources.

Step-CA is our open-source online certificate authority, which forms the foundation of the Smallstep platform. We’ve continued to maintain and develop step-ca so that indie developers and homelabers (with more time to experiment) can easily automate certificate management for entities within their internal networks.

Today, we're spotlighting the stories of three members of our open source community —Carlo, Karanbir, and Mario — as they share how step-CA has simplified their workflows with automated certificate management.

Mario uses Step-CA to automate TLS certificates for containerised environments

“I can’t believe that I get to use step-Ca as a containerised CA server issuing certificate for a non-internet entity.”

Mario François Jauvin, the founder of consulting firm MFJ Associates, boasts over 20 years of experience in network architecture, performance management, and software development. He utilizes container tools like Docker across his projects to create scriptable and repeatable environments.

Mario was seeking a tool to automate TLS certificate management for Docker environments, so he could transition from the manual and constrained process typical of his Windows server environment. Today, he uses step-CA as a containerized CA server to issue certificates for non-internet entities, a solution he still finds remarkable. His story is a testament to step-CA’s versatility and efficiency.

Carlo uses Step-CA as an internal ACME CA

“Step-CA’s ACME implementation is outstanding because it enables me to seamlessly renew certificates on Kubernetes.”

Carlo Maiorano Picone is an Infrastructure Engineer currently working for the consulting firm, Informatica. He had been using Let’s Encrypt to automate certificate issuance for publicly reachable endpoints in his homelab, and appreciated the convenience of the ACME protocol for certificate management. However, since Let’s Encrypt can’t be used to automate certificate issuance for internal non-internet reachable endpoints, he sought an internal CA with ACME support. That's when he discovered step-CA on Github.

Initially, Carlo started using step-CA in his homelab to provision certificates to his Kubernetes containers. He found it so effective that he has since deployed step-CA on-premise for several clients at his consulting firm. For him, our vibrant open-source community on Discord is his favourite thing about the Smallstep ecosystem.

Karanbir uses Step-CA to enable mTLS for his VMs

“Smallstep is something out of the world. It’s flawless, handy, and fully automated. I think it deserves more flowers than it currently gets”

Mutual TLS (mTLS) is a form of mutual authentication wherein both parties in a connection authenticate each other using the TLS protocol. MTLs effectively eliminates the need for complex network boundaries, VPNs, and IP whitelists to provide access to your applications.

Karanbir Singh is a Senior Software Engineer at Telstra. Before discovering step-CA, he used tools like OpenSSL and mkcert. But, he was frustrated with these tools as they weren’t as intuitive or automated as he would have liked. He was seeking a Let's Encrypt alternative ACME CA that could work for non-public endpoints, when he found step-CA

Since discovering step-CA, he has stopped using OpenSSL. In his words, “in openSSL you can type four commands and if you mess it up, then you’ll have to start afresh”. In contrast, step-CA and it’s complementary CLI tool (Step-CLI) ships with sensible defaults and built-in utilities like certificate management, JWT tokens, and certificate introspection, providing a level of efficiency and ease which he finds truly remarkable.

Leverage security best-practices with Step-CA

Step-CA is a brilliant solution for automating certificate and PKI management, resolving extensive security challenges encountered in network and infrastructure security. The stories of Carlo, Karanbir, and Mario are a testament to it’s transformative power. It simplifies complex workflows and enhances security, offering a solution for automated certificate management that suits just about any environment or workload, from Kubernetes to web servers, databases, VMs, and beyond.

Just like Carlo, Karanbir, and Mario, there are several open source users using step-CA across their homelabs and projects, whose stories are yet to be told. If you’re part of our open source community and would like us to tell your story too, fill out this form and we’ll be in touch 😊.

While Step-CA is well-suited for homelabs and small projects, it might not be the right choice for larger production systems. In such case, consider the Smallstep platform, which has everything you need to get to market in record time with security you can brag about. If you're already using our open-source, connecting to our platform is straightforward. Sign up for an account and give it a try today!

About the author: Linda is an educator at heart, and her superpower is demystifying complexity. Since joining SmallStep as a developer advocate, her new mission is now to demystify and educate about PKI and digital certificates :)