Certificate Manager

Complete certificate lifecycle management for all your workloads, devices, and people.

Smallstep

Certificate Manager Offerings

Sign up, it's free. No credit card required.

Linked step-ca
Create Dashboard
CM Professional
Sign Up
CM Run Anywhere
Contact Us
Pricing
Free
Free to start then by Authority and Endpoint
By Authority and Endpoint
Form Factor
Open source step-ca with cloud observability
SaaS with private key in Google KMS
On-premise or your cloud
Pricing Details
Free for one linked step-ca.
First Authority and first 50 Endpoints are free. Then by Authority and Endpoint.
Annual contract by Authority and Endpoint with monthly minimum.
Features
  • Expiry warnings and alerts
  • Certificates list and details
  • Provisioners and Templates
  • Passive revocation
  • HSM & cloud KMS support
  • Community support
  • Linked step-ca plus
  • Highly available Authorities
  • Authorized issuance lists
  • Active revocation
  • Export to SIEM
  • Smallstep support
  • CM Professional Plus
  • On premise or your cloud
  • Flexible deployments
  • Implementation services
  • Smallstep support
CM Professional
Sign Up
Pricing
Free to start then by Authority and Endpoint
Form Factor
SaaS with private key in Google KMS
Pricing Details
First Authority and first 50 Endpoints are free. Then by Authority and Endpoint.
Features
  • Linked step-ca plus
  • Highly available Authorities
  • Authorized issuance lists
  • Active revocation
  • Export to SIEM
  • Smallstep support
Contact us for information about volume discounts and Run Anywhere minimums.
Your data is safe with Smallstep, learn more.

Pricing

Certificate Manager is sold as a subscription, licensed by the number of Authorities and the number of Endpoints.

Authorities are linked step-ca instances, Issuing Authorities, or Validation Authorities that authenticate, validate or issue certificates to Endpoints. Authorities are billed monthly per Authority.

Endpoints receive and renew certificates from Authorities. Endpoints are metered hourly for the duration of the certificate lifetime. Total Endpoints is the count of all active endpoints across all Authorities.

First Authority

$0.00

2 - 10 Authorities

$500.00/month

Over 10

0 - 50 endpoints

$0.00

51 - 2,000

$0.75/month

2,001 - 10,000

$0.35/month

10,001 - 25,000

$0.05/month

Over 25,000

Pricing Calculator

Certificate Manager Professional and Run Anywhere are priced monthly by the number of Authorities and Endpoints. Use the calculator below to estimate your monthly charges.

Smallstep Certificate Manager

Authorities - per authority/month

1st Authority ($0)

$0.00

Additional Authorities ($500/month)

Endpoints - per device/month

0 - 50 endpoints ($0.00)

$0.00

51 - 2000 endpoints ($0.75)

2,001 - 10,000 endpoints ($0.35)

Over 10,000 endpoints ($0.05)

Monthly Subscription

$0.00

Linked step-ca
Create Dashboard
CM Professional
Sign up
CM Run Anywhere
Contact us
Features
Form factor
Hybrid
Self-Service SaaS
On-Premise or Cloud
Managed by
User
Smallstep
Customer
Administration
CLI
UI / CLI
UI / CLI
Highly-available certificate authority
Manual
Yes
Yes
Private keys in cloud KMS
Manual
Yes
Yes
Private Keys in dedicated HSM
Manual
Optional
Yes
Number of Authorities
One
Unlimited
Unlimited
Open source certificate authority
Yes
Yes
Yes
Short-lived certificates with automated renewal
Yes
Yes
Yes
Cloud managed, on-prem signing CA
Yes
Yes
Yes
Run anywhere Registration Authorites (RAs)
Yes
Yes
Yes
Cloud hosted CA
Yes
Yes
Active revocation
Yes
Yes
Export to webhook / SIEM
Yes
Yes
Observability
Issued certificates details in UI
Yes
Yes
Yes
Expiry events via email
Yes
Yes
Yes
Expiry events via webhook
Yes
Yes
Export to webhook / SIEM
Yes
Yes
Authenticated Issuance
Authenticated certificate issuance
Yes
Yes
Yes
ACME DNS, HTTP, ALPN, IP, and EAB challenges
Yes
Yes
Yes
OIDC - bind user email to SAN/name for developer access
Yes
Yes
Yes
OIDC - Admin user create any SAN/name for custom certificate
Yes
Yes
Yes
OIDC - SSO identity token or device auth grant workflows
Yes
Yes
Yes
AWS, GCP, Azure instance identity docs for cloud infrastructure
Yes
Yes
Yes
Existing valid certificate for derived credentials
Yes
Yes
Yes
JWK for password, one-time token, or multi-use token authentication
Yes
Yes
Yes
API for a certificate
Yes
Yes
Issue cert via UI
Coming soon
Coming soon
Authorize & Customize
Templatized customization of certificates
Yes
Yes
Yes
Template customization - UI
Coming soon
Coming soon
Coming soon
Template customization - CLI
Yes
Yes
Yes
Name constraints on Authority
Yes
Yes
Yes
Allow / deny lists on provisioners
Yes
Yes
Yes
Inventories - metadata enrichment or access control
Coming soon
Coming soon
Use metadata to authorize certificate issuance
Coming soon
Coming soon
Enrich CSR metadata with 3rd party directory
Coming soon
Coming soon
Renewal
single command renewal
Yes
Yes
Yes
SystemD timers
Yes
Yes
Yes
Stand-alone daemon
Yes
Yes
Yes
Cron jobs
Yes
Yes
Yes
ACME challenges
Yes
Yes
Yes
OIDC - single sign-on flow
Yes
Yes
Yes
Configuration management
Yes
Yes
Yes
API for renewal
Yes
Yes
Yes
Renew after expiry
Yes
Yes
Yes
Manual renewal by Admin
Yes
Yes
Yes
Revocation
Passive revocation
Yes
Yes
Yes
Active revocation - CRL
Yes
Yes
Active revocation - OCSP
Yes
Yes
Validation Authority
Yes
Yes
Support
Provider
Community
Smallstep
Smallstep
Releases
Community
Current release
n-1
Channels
Community
Ticket
Ticket
Availability
Community
48-hour response
48-hour response
Features
Form factor
Hybrid
Managed by
User
Administration
CLI
Highly-available certificate authority
Manual
Private keys in cloud KMS
Manual
Private Keys in dedicated HSM
Manual
Number of Authorities
One
Open source certificate authority
Yes
Short-lived certificates with automated renewal
Yes
Cloud managed, on-prem signing CA
Yes
Run anywhere Registration Authorites (RAs)
Yes
Cloud hosted CA
Active revocation
Export to webhook / SIEM
Observability
Issued certificates details in UI
Yes
Expiry events via email
Yes
Expiry events via webhook
Export to webhook / SIEM
Authenticated Issuance
Authenticated certificate issuance
Yes
ACME DNS, HTTP, ALPN, IP, and EAB challenges
Yes
OIDC - bind user email to SAN/name for developer access
Yes
OIDC - Admin user create any SAN/name for custom certificate
Yes
OIDC - SSO identity token or device auth grant workflows
Yes
AWS, GCP, Azure instance identity docs for cloud infrastructure
Yes
Existing valid certificate for derived credentials
Yes
JWK for password, one-time token, or multi-use token authentication
Yes
API for a certificate
Issue cert via UI
Authorize & Customize
Templatized customization of certificates
Yes
Template customization - UI
Coming soon
Template customization - CLI
Yes
Name constraints on Authority
Yes
Allow / deny lists on provisioners
Yes
Inventories - metadata enrichment or access control
Use metadata to authorize certificate issuance
Enrich CSR metadata with 3rd party directory
Renewal
single command renewal
Yes
SystemD timers
Yes
Stand-alone daemon
Yes
Cron jobs
Yes
ACME challenges
Yes
OIDC - single sign-on flow
Yes
Configuration management
Yes
API for renewal
Yes
Renew after expiry
Yes
Manual renewal by Admin
Yes
Revocation
Passive revocation
Yes
Active revocation - CRL
Active revocation - OCSP
Validation Authority
Support
Provider
Community
Releases
Community
Channels
Community
Availability
Community

Twitter Love For Smallstep