step-ca
is an online Certificate Authority (CA) for secure, automated X.509 and SSH certificate management. It's the server counterpart to step
CLI. It is secured with mutual TLS, and it offers several configurable certificate provisioners, flexible certificate templating, and pluggable database backends to suit a wide variety of contexts and workflows. It employs sane default algorithms and attributes, so you don't have to be a security engineer to use it safely.
Teams use step-ca
to:
Issue TLS and other X.509 certificates for any entity in your internal infrastructure. Secure your infrastructure with mutual TLS (mTLS) authentication for client-server connections. Automate certificate issuance and renewal for clients and servers.
Issue SSH certificates to users and hosts. Delegate SSH authentication to step-ca
and configure its provisioners to set up a clear chain of trust for authorizing access. Automate host SSH key rotation while avoiding the risk of trust-on-first-use (TOFU). A popular configuration is illustrated in Single Sign-on SSH.
Provisioners are methods of using the CA to get certificates for humans or machines. They offer different modes of authorization for the CA.
For example, you can have your CA issue certificates in exchange for:
X.509 Templates let you customize your certificates, eg:
step-ca
ships with several built-in templates for everyday operations, and you can use Golang's text/template
syntax to create new templates.
We've built step-ca
integrations for Kubernetes, Cloud KMS, Envoy Secret Discovery Service, and Yubikey PIV, among others. See Integrations to learn more.