step-ca is an online Certificate Authority (CA) for secure, automated X.509 and SSH certificate management. It's the server counterpart to
step CLI. It is secured with mutual TLS, and it offers several configurable certificate provisioners, flexible certificate templating, and pluggable database backends to suit a wide variety of contexts and workflows. It employs sane default algorithms and attributes, so you don't have to be a security engineer to use it safely.
Issue TLS and other X.509 certificates for any entity in your internal infrastructure. Secure your infrastructure with mutual TLS (mTLS) authentication for client-server connections. Automate certificate issuance and renewal for clients and servers.
Issue SSH certificates to users and hosts. Delegate SSH authentication to
step-ca and configure its provisioners to set up a clear chain of trust for authorizing access. Automate host SSH key rotation while avoiding the risk of trust-on-first-use (TOFU). A popular configuration is illustrated in Single Sign-on SSH.
Provisioners are methods of using the CA to get certificates for humans or machines. They offer different modes of authorization for the CA.
For example, you can have your CA issue certificates in exchange for:
X.509 Templates let you customize your certificates, eg:
step-ca ships with several built-in templates for everyday operations, and you can use Golang's
text/template syntax to create new templates.
For strong protection of your CA signing keys, we've built
step-ca integrations for PKCS #11 HSMs, Google Cloud KMS, AWS KMS, and Yubikey PIV, among others.
step-ca plays well with Kubernetes cert-manager and Envoy Secret Discovery Service. See Integrations to learn more.