Menu
Products
Open Source
- Run a private internal ACME CA
- Configure popular ACME clients to use a private CA
- Use Kubernetes cert-manager with
step-ca - Issue X.509 host certificates to cloud VMs
- Issue X.509 user certificates via your identity provider
- Create a CA that uses RSA keys
- Import an existing root or intermediate CA into
step-ca - Use Keycloak to issue SSH certificates with step-ca
- Run an SSH CA and connect to VMs using SSH certificates
- Use AWS to deploy a certificate authority and secure microservices
- Run
step-cain a Docker container - Federate multiple autonomous certificate authorities
Products
Open Source
- Run a private internal ACME CA
- Configure popular ACME clients to use a private CA
- Use Kubernetes cert-manager with
step-ca - Issue X.509 host certificates to cloud VMs
- Issue X.509 user certificates via your identity provider
- Create a CA that uses RSA keys
- Import an existing root or intermediate CA into
step-ca - Use Keycloak to issue SSH certificates with step-ca
- Run an SSH CA and connect to VMs using SSH certificates
- Use AWS to deploy a certificate authority and secure microservices
- Run
step-cain a Docker container - Federate multiple autonomous certificate authorities
Introduction to step-ca
step-castep-ca is an online Certificate Authority (CA) for secure, automated X.509 and SSH certificate management.
It's the server counterpart to step CLI.
It is secured with TLS,
and it offers several configurable certificate provisioners, flexible certificate templating, and pluggable database backends to suit a wide variety of contexts and workflows.
It employs sane default algorithms and attributes,
so you don't have to be a security engineer to use it securely.
Teams use step-ca to:
- Generate TLS certificates for private infrastructure using the ACME protocol
- Automate TLS certificate renewal
- Add ACME support to an existing subordinate CA
- Issue short-lived SSH certificates via OAuth OIDC single sign on
- Issue customized X.509 and SSH certificates
- and much more ...
Features
X.509 Certificate Authority
step-ca issues X.509 certificates for use with TLS, mutual TLS (mTLS) authentication, document signing, and X.509 authentication more broadly.
With step-ca, you can:
- Automate certificate issuance and renewal for clients and servers and Kubernetes workloads.
- Issue certificates to humans, eg. using Single Sign-on (OpenID Connect) for authenication.
- Choose key types (RSA, ECDSA, EdDSA) and lifetimes to suit your needs
- Issue short-lived certificates with automated enrollment, renewal, and passive revocation
- Operate an online intermediate CA to an existing root CA, eg. to add support for ACME to an existing PKI
- Operate a local Registration Authority (RA) on an internal network or inside a Kubernetes cluster, that authorizes certificate requests for an upstream
step-caserver. - Deploy a high availability (HA) Certificate Authority using root federation and/or multiple intermediaries
SSH Certificate Authority
step-ca can issue SSH certificates to users and hosts.
Delegate SSH authentication to step-ca
and set up a clear chain of trust for authorizing access.
- Avoid the risk of trust-on-first-use (TOFU) when connecting to SSH hosts
- Issue short-lived SSH user certificate via Single Sign-on.
Provisioners
Provisioners are methods of using the CA to get certificates for humans or machines. They offer different modes of authorization for the CA.
For example, you can have your CA issue certificates in exchange for:
- ACME challenge responses from any ACMEv2 client
- OAuth OIDC single sign-on tokens, eg:
- ID tokens from Okta, G Suite, Azure AD, Auth0.
- Cloud instance identity documents, for VMs on AWS, GCP, and Azure
- Single-use, short-lived JWK tokens, eg. issued by your CD tool — Puppet, Chef, Ansible, Terraform, etc.
Templates
X.509 Templates let you customize certificate fields, eg:
- Add custom Subject Alternative Names (SANs) or non-standard X.509 Object Identifiers (OIDs) to certificates
- Restrict certificates by domain name or key size
- Issue CA certificates with longer path lengths for multiple intermediaries
step-ca ships with several built-in templates for everyday operations,
and you can use Golang's text/template syntax to create new templates.
Cryptographic Protection
For strong protection of your CA signing keys, we've built step-ca integrations for PKCS #11 HSMs, Google Cloud KMS, AWS KMS, and Yubikey PIV, among others.
Other Integrations
step-ca plays well with Kubernetes cert-manager and Envoy Secret Discovery Service. See Integrations to learn more.
Subscribe to updates
Unsubscribe anytime. See our privacy policy.
© 2021 Smallstep Labs, Inc. All rights reserved.