Core Concepts

The Smallstep Platform is powered by a number of components that can be combined to deliver automated certificate management for a broad set of use cases and implementations.

The components include:

  • Authorities— Certificate or registration authorities powered by step-ca
  • Provisioners— Machinery for securely automating certificate issuance
  • Inventories— Catalogs of entities like hosts, services, and people for use with templates and provisioners
  • Templates— Customization of x.509 or SSH certificates for any use case
  • Events— Observability and alerting for certificate lifecycle activities


Authorities, powered by step-ca, are the foundation of the Smallstep Platform and provide core certificate signing and management functions (issue, renew, and revoke certificates). Authorities are used to issue and sign certificates and can run at any level of the PKI trust chain.

  • Root CA - At the bottom of the PKI trust chain is the root authority. Typically, a Root CA is only invoked to sign intermediate CA certificates. This indirection allows for redundant topologies and facilitates migrations. It also means root CA private keys can be managed, stored, and accessed with more care. For the most security-sensitive use cases root signing keys can even be kept offline in a physically secure environment.
  • Intermediate CA - Automated certificate management requires an online CA with an API that's capable of authenticating certificate signing requests (CSRs) and issuing certificates. An intermediate CA is used to sign and issue certificates for devices, people, workloads, or whatever else you need to identify.
  • Registration Authority - Not a certificate signer, a Registration Authority accepts and verifies certificate requests. Upon verification, certificate signing requests are passed to an Intermediate CA or Root CA to sign and catalog. Registration Authorities are useful for connecting remote sites to a central set of signing authorities.


Provisioners verify the legitimacy of certificate signing requests and attest to the identity of the requesting service or human. Used to help bootstrap new entities into the PKI, each Provisioner addresses a particular environment, enabling different use cases. A few examples include:

  • OIDC Provisioner - Useful for getting certificates to people, the OAuth/OpenID Connect (OIDC) Provisioner uses identity tokens for authentication. With this provisioner, you can use single sign-on with G Suite, Okta, Azure Active Directory, or any other OAuth OIDC provider to verify the user's identity before issuing a certificate.
  • ACME Provisioner - Useful for automating TLS certificates, the ACME provisioner provides CSR generation, domain ownership verification, certificate download, and installation. With support for all of the ACME challenge types supported by Let’s Encrypt (HTTP, DNS, ALPN), the ACME provisioner unlocks the entire ACME ecosystem of tools and clients.
  • Cloud API Provisioners - Useful for issuing certificates to public cloud virtual machines, Cloud API Provisioners use the native cloud provider API and instance identity documents to automate certificates. With support for AWS, GCP, and Azure metadata APIs, the Cloud API provisioner accelerates secure cloud operations.
  • JWK Provisioner - Useful for a broad range of workflows, the JWK provisioner provides a flexible JSON Web Token-based authentication flow. Often paired with infrastructure automation solutions, the JWK Provisioner can deliver one-time tokens to a new workload to later be exchanged for an x.509 certificate.


Inventories are catalogs or lists of entities like hosts, services, locations, or people. Inventories provide a secure mapping between details that are available from the credential used to request a certificate and additional metadata that needs to be bound in the issued certificate. You can use Inventories along with other Smallstep Platform components to:

  • Customize Certificates - An inventory can map the hostname of a VM to the name of a workload running on that VM, or map an email address to a POSIX username. In both cases, the name in the authentication credential used to request a certificate does not match the name that should be in the issued certificate.
  • Authorize Certificate Requests - Inventory metadata can also be used to authorize a certificate request. For example, certificate issuance via the OIDC provisioner can be restricted to a particular subdomain based on group membership information maintained in a user inventory.


Templates are JSON documents that describe the most important fields in the final certificate or certificate request. Used to customize x.509 or SSH certificates for any use case, Templates allow you to add custom SANs or extensions:

  • Customize certificates for a broad range of applications and integrations.
  • Provides full control of all of certificate fields, even add custom extensions.
  • Automate custom certificate generation and skip the manual workflows.


Events power alerting for certificate lifecycle activities. Used to help administrators operate the Smallstep Platform, Events can be generated and surfaced via standard mechanisms.