step-ca is an online Certificate Authority (CA) for secure, automated X.509 and SSH certificate management. It's the server counterpart to step CLI. It is secured with mutual TLS, and it offers several configurable certificate provisioners, flexible certificate templating, and pluggable database backends to suit a wide variety of contexts and workflows. It employs sane default algorithms and attributes, so you don't have to be a security engineer to use it safely.
Teams use step-ca to:
- Automate TLS certificate renewal and revocation
- Generate TLS certificates for private infrastructure using the ACME protocol
- Issue customized X.509 and SSH certificates
- Add ACME support to an existing subordinate CA
- Issue short-lived SSH certificates via OAuth OIDC single sign on
- and much more ...
Issue TLS and other X.509 certificates for any entity in your internal infrastructure. Secure your infrastructure with mutual TLS (mTLS) authentication for client-server connections. Automate certificate issuance and renewal for clients and servers.
Issue SSH certificates to users and hosts. Delegate SSH authentication to step-ca and configure its provisioners to set up a clear chain of trust for authorizing access. Automate host SSH key rotation while avoiding the risk of trust-on-first-use (TOFU). A popular configuration is illustrated in Single Sign-on SSH.
Provisioners are methods of using the CA to get certificates for humans or machines. They offer different modes of authorization for the CA.
For example, you can have your CA issue certificates in exchange for:
- ACME challenge responses from any ACMEv2 client
- OAuth OIDC single sign-on tokens, eg:
- ID tokens from Okta, G Suite, Azure AD, Auth0.
- Cloud instance identity documents, for VMs on AWS, GCP, and Azure
- Single-use, short-lived JWK tokens issued by your CD tool — Puppet, Chef, Ansible, Terraform, etc.
X.509 Templates let you customize your certificates, eg:
- Add custom SANs or non-standard X.509 Object Identifiers (OIDs) to certificates
- Restrict certificates by domain name or key size
- Issue CA certificates with longer path lengths for multiple intermediaries
step-ca ships with several built-in templates for everyday operations, and you can use Golang's text/template syntax to create new templates.
For strong protection of your CA signing keys, we've built step-ca integrations for PKCS #11 HSMs, Google Cloud KMS, AWS KMS, and Yubikey PIV, among others.
step-ca plays well with Kubernetes cert-manager and Envoy Secret Discovery Service. See Integrations to learn more.
