Smallstep
Overview
How it works
Pricing
Sign Up

Certificate Manager Offerings

Sign up, it's free.

Certificate Manager is available as a managed SaaS service or an on-premise Run Anywhere subscription. Pricing is by Authorities, Endpoints, and Smallstep Support Account.

Contact us for information about volume discounts and Run Anywhere minimums.

Pricing Calculator

Sign up
Have questions?

Smallstep Certificate Manager

Authorities month

1st DevOps Authority ($0)

$0

Additional DevOps Authorities ($49/month)

Advanced Authorities ($499/month)

Endpoints per month

0 - 50 endpoints ($0.00)

$0

51 - 2000 endpoints ($0.75)

2,001 - 10,000 endpoints ($0.35)

Over 10,000 endpoints ($0.05)

Smallstep Account per month

Free ($0)

$0

Monthly Subscription

$0

Certificate Manager Authorities

DevOps

Free

First Free, additional @ $49 Per Month / Per Authority

  • Good for short-lived certificates and DevOps environments
  • Highly available cloud-hosted x.509 CA
  • Endpoints and certificate dashboard
  • Expiry Warnings & Alerts
  • Up to three authentication workflows
  • An ACME Registration Authority

Advanced

$499

Per Month / Per Authority

  • Good for large infrastructures and compliant environments
  • Unlimited authentication workflows
  • Unlimited Registration Authorities
  • FIPS compliant step-ca
  • BYO Root & custom CA Hierarchies
  • Active revocation (early access)
Compare all features >

We Have Two SSH Solutions

Contact Us with Questions

  • Try our full-featured SSH Product that delivers single sign-on SSH, access control, user lifecycle management, event reporting, and more.
  • or
  • Build a custom SSH workflow with Certificate Manager. Contact us for access. Self-service coming soon.

Smallstep Account

Free

$0.00

  • Good for dev, personal & homelab projects
  • One administrator
  • Login with Google
  • Discord Community Support

Team

$249 Per Month

  • Good for small teams or standard deploys
  • Three administrators
  • Single sign-on to dashboard
  • Smallstep Support via Ticket

Business

$999 Per Month

  • Good for larger teams or unique deploys
  • Team plus:
  • Unlimited administrators
  • SIEM / webhook integrations
  • Access to Smallstep Experts (1:1 zoom via calendly link)
  • Open source step-ca and cli support
  • Smallstep Support via Ticket, Slack, or email

Custom

Contact Us >
  • Good for custom deployments
  • Business Plus:
  • Custom recommendations, deploys and pricing
  • Architecture reviews
  • Implementation services
  • Enterprise Smallstep Support

Twitter Love For Smallstep

Compare Authorities Features

Get Started

Sign up

Issue your 1st certificate in minutes

DevOps

Free

1st free then $49 per month

Advanced

$499

Per month per authority

Features
Highly-available certificate authority
Yes
Yes
Short-lived certificates with automated renewal
Yes
Yes
Private keys in GCP cloud KMS
Yes
Yes
Private Keys in GCP cloud HSM
Yes
EC-P256 root & signing key types
Yes
Yes
Registration Authorities (RAs)
One per Authority
Unlimited
Provisioners with templates
Three per Authority
Unlimited
ACME & K8s cert-manager support
Yes
Yes
Active revocation
Yes
Custom key types and key Import
Yes
BYO root & custom CA hierarchies
Yes
Certificate Allow / deny
Authority level
Authority & provisioner level
Advanced ACME access control
Yes
FIPS compliant step-ca (for Linked & RAs)
Coming soon
Certificate approval queue
Yes
Renew after expiry
Yes
Observability
Endpoint status reporting
Yes
Yes
Issued certificates details in UI
Yes
Yes
Expiry events via email
Yes
Yes
View authority provisioners and admins
Yes
Yes
Expiry events via webhook event
With Business Account
With Business Account
Export to webhook / SIEM
With Business Account
With Business Account
Dashboard single sign-on
With Team or Business Account
With Team or Business Account
Authenticated Issuance
Authenticated certificate issuance
Yes
Yes
ACME protocol support
All Let's Encrypt challenge types
All LE + External Account Binding
OIDC - bind user email to SAN/name for developer access
Yes
Yes
OIDC - admin user create any SAN/name for custom certificate
Yes
Yes
OIDC - SSO identity token or device auth grant workflows
Yes
Yes
AWS, GCP, Azure instance identity docs for cloud infrastructure
Yes
Yes
Existing valid certificate for derived credentials
Yes
Yes
Password, one-time token, or multi-use token authentication
Yes
Yes
Kubernetes cert-manager Issuer
Yes
Yes
Exchange Nebula credential for x.509 certificate
Yes
Yes
Customer API
coming soon
coming soon
Authorize & Customize
Templatized customization of certificates
Yes
Yes
Allow / deny lists
Authority Level
Authority and Provisioner Level
ACME External Account Binding (EAB)
Yes
Issuance with human approver
Yes
Inventories for metadata enrichment or access control
coming soon
Renewal
Single command renewal
Yes
Yes
SystemD timers
Yes
Yes
Stand-alone daemon
Yes
Yes
Cron jobs
Yes
Yes
Configuration management
Yes
Yes
Manual renewal by admin
Yes
Yes
API for renewal
Yes
Yes
Renew after expiry
Yes
Revocation
Passive revocation
Yes
Yes
UI for certificate revocation
Yes
Yes
Active revocation - CRL
Yes
Active revocation - OCSP
Yes

Get Started

Sign up

Issue your 1st certificate in minutes

SSH Basic

1st Free

additional at $49 Per Month

SSH Advanced

$499

Per month per authority

Features
Form Factor
Some tooltip
Hybrid
Self-Service SaaS
Managed by
User
Smallstep
Administration
CLI
UI / CLI
Highlu-available certificate authority
Manual
Yes