Open Source PKI toolkit for secure automated certificate issuance and management

The Open Source step certificates project provides the infrastructure, automations, and workflows to securely create and operate a private certificate authority. Step certificates makes it easy for developers, operators and security teams to manage certificates for production workloads.

Quickly bootstrap internal PKI: get a public key infrastructure and certificate authority running in minutes.
Automate certificate management: provision and roll certificates automatically using standard APIs.
Manage keys and secrets: securely generate and distribute key materials, CSRs, and shared secrets (KDC).
Use TLS and/or SSH everywhere: build and operate systems using secure open standards (e.g. X.509, mTLS, JWT, OAuth, OIDC)
step ca certificate localhost srv.crt srv.key✔ Key ID: 8GDQh5JlYiBpI0AEm5xsyc34wGMRBVEq8rNiC4 (mike@smallstep.com)]F4=bYXyh9Gv6+Z9✔ CA: https://127.0.0.1:4443/1.0/signlssrv.crt srv.go srv.key

What’s Included

Everything you need to deploy an online certificate authority and an API for easy integration.

Quickly Provision Internal PKI

Quickly Provision Internal PKI

Automatically generate a certificate authority, root and intermediate certificates, and configuration files. Step certificate workflow defaults enforce PKI best practices.

Quickly Provision Internal PKI

Automatically generate a certificate authority, root and intermediate certificates, and configuration files. Step certificate workflow defaults enforce PKI best practices.

Quickly Provision Internal PKI
DevOps Friendly Toolchain

DevOps Friendly Toolchain

Automate client certificates using infrastructure tools like Puppet, Chef, Ansible, and Kubernetes. Verify the legitimacy of certificate signing requests (CSRs) with trusted provisioners.

Cloud-Provider API Integrations

Cloud-Provider API Integrations

Instance identity documents (IIDs) on AWS, GCP, and Azure remove additional infrastructure requirements. Simply request single-use client tokens directly from your cloud provider’s metadata API.

Cloud-Provider API Integrations

Instance identity documents (IIDs) on AWS, GCP, and Azure remove additional infrastructure requirements. Simply request single-use client tokens directly from your cloud provider’s metadata API.

Cloud-Provider API Integrations
Renew Certificates Automatically

Renew Certificates Automatically

Follow PKI best practices by issuing short-lived certificates that expire after 24 hours. Ensure production workloads renew certificates with well thought out workflows.

Avoid Application Changes

Avoid Application Changes

Passive revocation removes the effort of configuring every application and service to enforce a revoked certificate. Simply mark the certificate as revoked and retire a workload naturally.

Avoid Application Changes

Passive revocation removes the effort of configuring every application and service to enforce a revoked certificate. Simply mark the certificate as revoked and retire a workload naturally.

Avoid Application Changes