Smallstep Certificate Manager is a commercial product that delivers a managed certificate authority (CA) capable of issuing private x.509 TLS certificates.
Certificate Manager builds on two open-source projects, maintained by smallstep:
step-ca: a private online certificate authority for secure automated certificate management.
step: a general-purpose cryptography toolkit and the client-side counterpart to step-ca.
With Certificate Manager, you can create your own private CA to manage certificates on internal services, websites, infrastructure, people, or devices.
Getting started with Certificate Manager
Create a Team and Team Admin
Create an Authority
Install step on your client
Configure your client for your Authority
Before you begin
This tutorial assumes you are setting up Certificate Manager.
Creating a team gives you access to Smallstep's products.
Click here to create a team.
You will be asked to provide:
Team Name - Usually, this is your company name.
Team URL - This is where you will access the smallstep dashboard and will also be the base domain for the CA URL for any Authorities you create.
First & Last Name - Smallstep Team administrator's name.
E-mail - Smallstep Team administrator's e-mail address.
password - This password is used to login into the Smallstep dashboard
Smallstep team admins can subscribe to and manage Smallstep products.
step 2 - Create an Authority
A Certificate Manager Authority is an online CA that authenticates and authorizes certificate requests.
It can issue, renew, and revoke your x.509 TLS certificates.
To create an Authority:
Log into the smallstep dashboard, select the Certificate Manager tab, and click the "Add Authority" button.
Choose "Create a new hosted Authority".
Give your Authority a name and subdomain value (the URL path you wish to use for your online CA).
Behind the scenes, Certificate Manager creates a new root and an online intermediate CA,
storing the private keys into Google's Cloud KMS.
If you are looking to import an existing Root or to set up Smallstep as a subordinate or intermediate CA, please contact Customer Success.
On the Authority detail page, you will see the CA URL and Fingerprint used to interact with your CA.
Certificate Manager also creates a default provisioner called authority-admin,
connected to your smallstep login.
You can use this provisioner to administer the Authority and to get certificates.
See basic certificate operations for examples.
An authority super admin account is also created, using your e-mail address as the admin name/subject.
The super admin can manage other authority admins.
Step 3 - Install step
To interact with Certificate Manager, you will need our step CLI command on your local machine.
step acts as a front-end interface to Certificate Manager and is used for many common crypto and X.509 operations.
It's trivial to install the step binary on your local machine.
The instructions are here.
Step 4 - Configure your client
Certificate Manager authorities are administered using the step CLI command.
To connect your local client with the hosted Authority, you need to bootstrap into the PKI.
Run the following command, substituting the values from your Authority's properties:
$step ca bootstrap --ca-url [YOUR CA URL] --fingerprint [YOUR AUTHORITY FINGERPRINT]
(You can always find this command on the Quick Actions section on your authority page.)
This command will download the CA Root certificate and configure your local step client to interact with the Authority.
If desired, you can also use the step CLI to install the CA Root certificate to your system's truststore.