Pricing

Certificate Manager Offerings

Sign up, it's free. No credit card required.

Linked step-ca

Create Dashboard

CM Professional

Sign Up

CM Run Anywhere

Contact Us

Pricing

Free

Free to start then by Authority and Endpoint

By Authority and Endpoint

Form Factor

Open source step-ca with cloud observability

SaaS with private key in Google KMS

On-premise or your cloud

Pricing Details

Free for one linked step-ca.

First Authority and first 50 Endpoints are free. Then by Authority and Endpoint.

Annual contract by Authority and Endpoint with monthly minimum.

Features

Expiry warnings and alerts
Certificates list and details
Provisioners and Templates
Passive revocation
HSM & cloud KMS support
Community support

Linked step-ca plus
Highly available Authorities
Authorized issuance lists
Active revocation
Export to SIEM
Smallstep support

CM Professional Plus
On premise or your cloud
Flexible deployments
Implementation services
Smallstep support

Linked step-ca
CM Professional
CM Run Anywhere

Linked step-ca

Create Dashboard

Pricing

Free

Form Factor

Open source step-ca with cloud observability

Pricing Details

Free for one linked step-ca.

Features

Expiry warnings and alerts
Certificates list and details
Provisioners and Templates
Passive revocation
HSM & cloud KMS support
Community support

CM Professional

Sign Up

Pricing

Free to start then by Authority and Endpoint

Form Factor

SaaS with private key in Google KMS

Pricing Details

First Authority and first 50 Endpoints are free. Then by Authority and Endpoint.

Features

Linked step-ca plus
Highly available Authorities
Authorized issuance lists
Active revocation
Export to SIEM
Smallstep support

CM Run Anywhere

Contact Us

Pricing

By Authority and Endpoint

Form Factor

On-premise or your cloud

Pricing Details

Annual contract by Authority and Endpoint with monthly minimum.

Features

CM Professional Plus
On premise or your cloud
Flexible deployments
Implementation services
Smallstep support

Contact us for information about volume discounts and Run Anywhere minimums.
Your data is safe with Smallstep, learn more.

Compare Features

Pricing

Certificate Manager is sold as a subscription, licensed by the number of Authorities and the number of Endpoints.

Authorities are linked step-ca instances, Issuing Authorities, or Validation Authorities that authenticate, validate or issue certificates to Endpoints. Authorities are billed monthly per Authority.

Endpoints receive and renew certificates from Authorities. Endpoints are metered hourly for the duration of the certificate lifetime. Total Endpoints is the count of all active endpoints across all Authorities.

First Authority

$0.00

2 - 10 Authorities

$500.00/month

Over 10

Contact Us

0 - 50 endpoints

$0.00

51 - 2,000

$0.75/month

2,001 - 10,000

$0.35/month

10,001 - 25,000

$0.05/month

Over 25,000

Linked step-ca

CM Professional

CM Run Anywhere

Features

Form factor

Hybrid

Self-Service SaaS

On-Premise or Cloud

Managed by

User

Smallstep

Customer

Administration

CLI

UI / CLI

Highly-available certificate authority

Manual

Private keys in cloud KMS

Manual

Private Keys in dedicated HSM

Manual

Optional

Number of Authorities

One

Unlimited

Open source certificate authority

Short-lived certificates with automated renewal

Cloud managed, on-prem signing CA

Run anywhere Registration Authorites (RAs)

Cloud hosted CA

Active revocation

Export to webhook / SIEM

Observability

Issued certificates details in UI

Expiry events via email

Expiry events via webhook

Export to webhook / SIEM

Authenticated Issuance

Authenticated certificate issuance

ACME DNS, HTTP, ALPN, IP, and EAB challenges

OIDC - bind user email to SAN/name for developer access

OIDC - Admin user create any SAN/name for custom certificate

OIDC - SSO identity token or device auth grant workflows

AWS, GCP, Azure instance identity docs for cloud infrastructure

Existing valid certificate for derived credentials

JWK for password, one-time token, or multi-use token authentication

API for a certificate

Issue cert via UI

Coming soon

Authorize & Customize

Templatized customization of certificates

Template customization - UI

Coming soon

Template customization - CLI

Name constraints on Authority

Allow / deny lists on provisioners

Inventories - metadata enrichment or access control

Coming soon

Use metadata to authorize certificate issuance

Coming soon

Enrich CSR metadata with 3rd party directory

Coming soon

Renewal

single command renewal

SystemD timers

Stand-alone daemon

Cron jobs

ACME challenges

OIDC - single sign-on flow

Configuration management

API for renewal

Renew after expiry

Manual renewal by Admin

Revocation

Passive revocation

Active revocation - CRL

Active revocation - OCSP

Validation Authority

Support

Provider

Community

Smallstep

Releases

Community

Current release

n-1

Channels

Community

Ticket

Availability

Community

48-hour response

Linked step-ca
CM Professional
CM Run Anywhere

Create Dashboard

Features

Form factor

Hybrid

Managed by

User

Administration

CLI

Highly-available certificate authority

Manual

Private keys in cloud KMS

Manual

Private Keys in dedicated HSM

Manual

Number of Authorities

One

Open source certificate authority

Short-lived certificates with automated renewal

Cloud managed, on-prem signing CA

Run anywhere Registration Authorites (RAs)

Cloud hosted CA

Active revocation

Export to webhook / SIEM

Observability

Issued certificates details in UI

Expiry events via email

Expiry events via webhook

Export to webhook / SIEM

Authenticated Issuance

Authenticated certificate issuance

ACME DNS, HTTP, ALPN, IP, and EAB challenges

OIDC - bind user email to SAN/name for developer access

OIDC - Admin user create any SAN/name for custom certificate

OIDC - SSO identity token or device auth grant workflows

AWS, GCP, Azure instance identity docs for cloud infrastructure

Existing valid certificate for derived credentials

JWK for password, one-time token, or multi-use token authentication

API for a certificate

Issue cert via UI

Authorize & Customize

Templatized customization of certificates

Template customization - UI

Coming soon

Template customization - CLI

Name constraints on Authority

Allow / deny lists on provisioners

Inventories - metadata enrichment or access control

Use metadata to authorize certificate issuance

Enrich CSR metadata with 3rd party directory

Renewal

single command renewal

SystemD timers

Stand-alone daemon

Cron jobs

ACME challenges

OIDC - single sign-on flow

Configuration management

API for renewal

Renew after expiry

Manual renewal by Admin

Revocation

Passive revocation

Active revocation - CRL

Active revocation - OCSP

Validation Authority

Support

Provider

Community

Releases

Community

Channels

Community

Availability

Community

Sign up

Features

Form factor

Self-Service SaaS

Managed by

Smallstep

Administration

UI / CLI

Highly-available certificate authority

Private keys in cloud KMS

Private Keys in dedicated HSM

Optional

Number of Authorities

Unlimited

Open source certificate authority

Short-lived certificates with automated renewal

Cloud managed, on-prem signing CA

Run anywhere Registration Authorites (RAs)

Cloud hosted CA

Active revocation

Export to webhook / SIEM

Observability

Issued certificates details in UI

Expiry events via email

Expiry events via webhook

Export to webhook / SIEM

Authenticated Issuance

Authenticated certificate issuance

ACME DNS, HTTP, ALPN, IP, and EAB challenges

OIDC - bind user email to SAN/name for developer access

OIDC - Admin user create any SAN/name for custom certificate

OIDC - SSO identity token or device auth grant workflows

AWS, GCP, Azure instance identity docs for cloud infrastructure

Existing valid certificate for derived credentials

JWK for password, one-time token, or multi-use token authentication

API for a certificate

Issue cert via UI

Coming soon

Authorize & Customize

Templatized customization of certificates

Template customization - UI

Coming soon

Template customization - CLI

Name constraints on Authority

Allow / deny lists on provisioners

Inventories - metadata enrichment or access control

Coming soon

Use metadata to authorize certificate issuance

Coming soon

Enrich CSR metadata with 3rd party directory

Coming soon

Renewal

single command renewal

SystemD timers

Stand-alone daemon

Cron jobs

ACME challenges

OIDC - single sign-on flow

Configuration management

API for renewal

Renew after expiry

Manual renewal by Admin

Revocation

Passive revocation

Active revocation - CRL

Active revocation - OCSP

Validation Authority

Support

Provider

Smallstep

Releases

Current release

Channels

Ticket

Availability

48-hour response

Contact us

Features

Form factor

On-Premise or Cloud

Managed by

Customer

Administration

UI / CLI

Highly-available certificate authority

Private keys in cloud KMS

Private Keys in dedicated HSM

Number of Authorities

Unlimited

Open source certificate authority

Short-lived certificates with automated renewal

Cloud managed, on-prem signing CA

Run anywhere Registration Authorites (RAs)

Cloud hosted CA

Active revocation

Export to webhook / SIEM

Observability

Issued certificates details in UI

Expiry events via email

Expiry events via webhook

Export to webhook / SIEM

Authenticated Issuance

Authenticated certificate issuance

ACME DNS, HTTP, ALPN, IP, and EAB challenges

OIDC - bind user email to SAN/name for developer access

OIDC - Admin user create any SAN/name for custom certificate

OIDC - SSO identity token or device auth grant workflows

AWS, GCP, Azure instance identity docs for cloud infrastructure

Existing valid certificate for derived credentials

JWK for password, one-time token, or multi-use token authentication

API for a certificate

Issue cert via UI

Coming soon

Authorize & Customize

Templatized customization of certificates

Template customization - UI

Coming soon

Template customization - CLI

Name constraints on Authority

Allow / deny lists on provisioners

Inventories - metadata enrichment or access control

Coming soon

Use metadata to authorize certificate issuance

Coming soon

Enrich CSR metadata with 3rd party directory

Coming soon

Renewal

single command renewal

SystemD timers

Stand-alone daemon

Cron jobs

ACME challenges

OIDC - single sign-on flow

Configuration management

API for renewal

Renew after expiry

Manual renewal by Admin

Revocation

Passive revocation

Active revocation - CRL

Active revocation - OCSP

Validation Authority

Support

Provider

Smallstep

Releases

n-1

Channels

Ticket

Availability

48-hour response

Certificate Manager

Complete certificate lifecycle management for all your workloads, devices, and people.

Certificate Manager Offerings

Pricing

Pricing Calculator

Smallstep Certificate Manager

Twitter Love For Smallstep