Smallstep Certificate Manager Getting Started

Smallstep Certificate Manager is a commercial product that delivers a managed certificate authority (CA) capable of issuing private x.509 TLS certificates.

Certificate Manager builds on two open-source projects, maintained by smallstep:

  • step-ca: a private online certificate authority for secure automated certificate management.
  • step: a general-purpose cryptography toolkit and the client-side counterpart to step-ca. With Certificate Manager, you can create your own private CA to manage certificates on internal services, websites, infrastructure, people, or devices.

Getting started with Certificate Manager

  1. Create a Team and Team Admin
  2. Create an Authority
  3. Install step on your client
  4. Configure your client for your Authority

Before you begin

This tutorial assumes you are setting up Certificate Manager.

If you need SSH certificates instead, see our documentation for Smallstep SSH.

Have questions? Contact Customer Success.

step 1 - Create a Smallstep Team

Creating a team gives you access to Smallstep's products. Click here to create a team. You will be asked to provide:

  • Team Name - Usually, this is your company name.
  • Team URL - This is where you will access the smallstep dashboard and will also be the base domain for the CA URL for any Authorities you create.
  • First & Last Name - Smallstep Team administrator's name.
  • E-mail - Smallstep Team administrator's e-mail address.
  • password - This password is used to login into the Smallstep dashboard

Smallstep team admins can subscribe to and manage Smallstep products.

step 2 - Create an Authority

A Certificate Manager Authority is an online CA that authenticates and authorizes certificate requests. It can issue, renew, and revoke your x.509 TLS certificates. To create an Authority:

  • Log into the smallstep dashboard, select the Certificate Manager tab, and click the "Add Authority" button.
  • Choose "Create a new hosted Authority".
  • Give your Authority a name and subdomain value (the URL path you wish to use for your online CA).
  • Choose "Create" Behind the scenes, Certificate Manager creates a new root and an online intermediate CA, storing the private keys into Google's Cloud KMS.

On the Authority detail page, you will see the CA URL and Fingerprint used to interact with your CA.

Certificate Manager also creates a default provisioner called authority-admin, connected to your smallstep login. You can use this provisioner to administer the Authority and to get certificates. See basic certificate operations for examples.

An authority super admin account is also created, using your e-mail address as the admin name/subject. The super admin can manage other authority admins.

Step 3 - Install step

To interact with Certificate Manager, you will need our step CLI command on your local machine. step acts as a front-end interface to Certificate Manager and is used for many common crypto and X.509 operations. It's trivial to install the step binary on your local machine. The instructions are here.

Step 4 - Configure your client

Certificate Manager authorities are administered using the step CLI command. To connect your local client with the hosted Authority, you need to bootstrap into the PKI. Run the following command, substituting the values from your Authority's properties:

$ step ca bootstrap --ca-url [YOUR CA URL] --fingerprint [YOUR AUTHORITY FINGERPRINT]

(You can always find this command on the Quick Actions section on your authority page.)

This command will download the CA Root certificate and configure your local step client to interact with the Authority.

If desired, you can also use the step CLI to install the CA Root certificate to the supported trust stores on your system.

Next Steps