Smallstep
Overview
How it works
Pricing
Sign Up

Sign up, it’s fun.

Using Smallstep in big Ways? Contact sales for information on Smallstep pricing.

Account & Support

A Smallstep account and support subscription gives you access to PKI Experts at Smallstep when questions arise.

$0 / month

Single admin with community support. Good for dev, personal and homelab projects.

$249 / month

Dashboard single sign-on, integrates with your current IDP. Access to Smallstep support. Good for small teams and standard deploys.

$999 / month

Export to SIEM and Smallstep premium support. Good for larger teams or unique deploys.

endpoints

An Endpoint is an entity (person, device, workload) that is issued a certificate. Learn more >
0 10000

endpoints

Secure all your endpoints with Smallstep. Endpoints receive certificates and can be workloads, servers, devices, people, or all your things.

DevOps

Good for short-lived certificates and DevOps environments. Learn more >

$49 (1st one free)

0 10

DevOps Authorities

Advanced

Good for large infrastructures and compliant environments. Learn more >

$499 per Authority

0 10

Advanced Authorities

Smallstep Certificate Manager

Endpoints per month

Units

Rate

Total

First 50 Endpoints

$

$

51-2,000 Endpoints

$

$

Authorities per month

1st DevOps Authority

$

$

Additional DevOps Authorities

$

Advanced Authorities

$

Smallstep Account per month

$

$

Monthly Subscription

Certificate Manager is available as a managed SaaS or an on-premise service.

Contact sales for information about volume discounts and on-premise/Run Anywhere minimums.

Compare Authorities Features

Get Started

Sign up

Issue your 1st certificate in minutes

DevOps

Free

1st free then $49 per month

Advanced

Contact Sales

Per month per authority

Features
Highly-available certificate authority
Yes
Yes
Short-lived certificates with automated renewal
Yes
Yes
Private keys in GCP cloud KMS
Yes
Yes
Private Keys in GCP cloud HSM
Yes
EC-P256 root & signing key types
Yes
Yes
Registration Authorities (RAs)
One per Authority
Unlimited
Provisioners
Three per Authority
Unlimited
Provisioner management UI
Coming Soon
Coming Soon
Seamless integration with ACME & Kubernetes
Yes
Yes
Active revocation
Yes
Custom key types and key Import
Yes
BYO root & custom CA hierarchies
Yes
Certificate Allow / deny
Authority level
Authority & provisioner level
FIPS compliant step-ca (for Linked & RAs)
Coming soon
Certificate approval queue
Yes
Renew after expiry
Yes
Observability
Endpoint status reporting
Yes
Yes
Issued certificates details in UI
Yes
Yes
Expiry events via email
Yes
Yes
View authority provisioners and admins
Yes
Yes
Expiry events via webhook event
With Business Account
With Business Account
Export to webhook / SIEM
With Business Account
With Business Account
Dashboard single sign-on
With Team or Business Account
With Team or Business Account
Authenticated Issuance
Authenticated certificate issuance
Yes
Yes
ACME protocol support
All Let's Encrypt challenge types
All LE + External Account Binding
OIDC - bind user email to SAN/name for developer access
Yes
Yes
OIDC - admin user create any SAN/name for custom certificate
Yes
Yes
OIDC - SSO identity token or device auth grant workflows
Yes
Yes
AWS, GCP, Azure instance identity docs for cloud infrastructure
Yes
Yes
Password, one-time token, or multi-use token authentication
Yes
Yes
Kubernetes cert-manager Issuer
Yes
Yes
Exchange Nebula credential for x.509 certificate
Yes
Yes
Customer API
coming soon
coming soon
Authorize & Customize
Templatized customization of certificates
Yes
Yes
Allow / deny lists
Authority Level
Authority and Provisioner Level
ACME External Account Binding (EAB)
Yes
Issuance with human approver
Yes
Inventories for metadata enrichment or access control
Yes
Yes
Renewal
Single command renewal
Yes
Yes
SystemD timers
Yes
Yes
Stand-alone daemon
Yes
Yes
Cron jobs
Yes
Yes
Configuration management
Yes
Yes
Manual renewal by admin
Yes
Yes
API for renewal
Yes
Yes
Renew after expiry
Yes
Revocation
Passive revocation
Yes
Yes
UI for certificate revocation
Coming soon
Coming soon
Active revocation - CRL
Yes
Active revocation - OCSP
Yes

Get Started

Sign up

Issue your 1st certificate in minutes

SSH Basic

1st Free

additional at $49 Per Month

SSH Advanced

$499

Per month per authority

Features
Form Factor
Some tooltip
Hybrid
Self-Service SaaS
Managed by
User
Smallstep
Administration
CLI
UI / CLI
Highlu-available certificate authority
Manual
Yes

Twitter Love For Smallstep