Smallstep CM Pricing

Smallstep Cloud Platform


from $0*

For a single user in dev and homelab environmments.

  • 1 user
  • 1 DevOps Authority
  • 20 managed certificate endpoints
  • Community Support via Discord

*Utilization of Advanced Authority features will result in charges while on Free plan


from $249

For small teams and standard deploys.

  • Okta, Azure AD, Google Workplace integration
  • 3 admin users
  • 50 managed certificate endpoints
  • 1 DevOps Authority
  • Access to Advanced Authority features
  • SIEM integration
  • Standard Customer Support



For larger team with enterprise environments.

  • Okta, Azure AD, Google Workplace integration
  • Unlimited admin users
  • Unlimited managed certificate endpoints
  • Unlimited DevOps Authority
  • Unlimited Advanced Authority
  • SIEM integration
  • Premium Customer Support

Have a large environment?

Additional Certificate Endpoints are available with bulk discounts.

Talk to the PKI experts to see if you could be saving big on your securely managed endpoints.

Compare Authorities Features

Get Started

Sign up

Issue your 1st certificate in minutes



1st free then $49 per month



Per month per authority


Highly-available certificate authority

Short-lived certificates with automated renewal

Private keys in GCP cloud KMS

Private Keys in GCP cloud HSM

EC-P256 root & signing key types

Registration Authorities (RAs)

One per Authority



Three per Authority


Provisioner management UI

Coming Soon

Coming Soon

Seamless integration with ACME & Kubernetes

Active revocation

Custom key types and key Import

BYO root & custom CA hierarchies

Certificate Allow / deny

Authority level

Authority & provisioner level

FIPS compliant step-ca (for Linked & RAs)

Coming soon

Certificate approval queue

Renew after expiry


Endpoint status reporting

Issued certificates details in UI

Expiry events via email

View authority provisioners and admins

Expiry events via webhook event

With Business Account

With Business Account

Export to webhook / SIEM

With Business Account

With Business Account

Dashboard single sign-on

With Team or Business Account

With Team or Business Account

Authenticated Issuance

Authenticated certificate issuance

ACME protocol support

All Let's Encrypt challenge types

All LE + External Account Binding

OIDC - bind user email to SAN/name for developer access

OIDC - admin user create any SAN/name for custom certificate

OIDC - SSO identity token or device auth grant workflows

AWS, GCP, Azure instance identity docs for cloud infrastructure

Password, one-time token, or multi-use token authentication

Kubernetes cert-manager Issuer

Exchange Nebula credential for x.509 certificate

Exchange Nebula credential for x.509 certificate

Customer API

Coming Soon

Coming Soon

Authorize & Customize

Templatized customization of certificates

Allow / deny lists

Authority Level

Authority and Provisioner Level

ACME External Account Binding (EAB)

Issuance with human approver

Inventories for metadata enrichment or access control


Single command renewal

SystemD timers

Stand-alone daemon

Cron jobs

Configuration management

Manual renewal by admin

API for renewal

Renew after expiry


Passive revocation

UI for certificate revocation

Coming Soon

Coming Soon

Active revocation - CRL

Active revocation - OCSP

Twitter Love For Smallstep