This document defines and describes certificate authority core concepts that are integral to the design
and practical usage of
Readers who are not yet familiar with public key infrastructure (PKI) and certificate management may want to check out...
step-ca is an online certificate authority, meaning it runs as a server
on the network and accepts certificate requests.
Provisioners are methods of proving an entities' identity to the CA prior to getting a new certificate. The CA needs proof the an entity that is requesting a new certificate is who they say they are. Once a provisioner authenticates an entities' identity, it then issues the entity a bearer token to submit to the CA, along with a certificate signing request (CSR), to obtain the new certificate.
The details of how a provisioner interacts with an entity (machines or people) and the CA vary by provisioner type. Smallstep supports a number of provisioner types including:
There are two certificate revocation methods: active vs. passive.
Private PKIs like
step-ca uses passive revocation by default.
Passive revocation doesn't use Certificate Revocation List (CRL) and Online Certificate Signing Protocol (OCSP) like the Web PKI you may be familiar with.
To passively revoke a certificate means to block its renewal at the CA. This eliminates the additional network request that occurs when using a web PKI because the certificate just expires by itself. Unlike active revocation, certificates cannot be immedietely revoked. Therefore, certificates should have a shorter lifetime to reduce the value of a key that has be exfiltrated.
step-ca has a couple of non-standard modes of operation.
step-ca can operate in Registration Authority (RA) mode.
An RA is a server that acts as an authentication layer for an upstream signing CA.
RA mode lets you separate certificate request authentication (the RA) from certificate signing operations (the CA). This operational mode centralizes key management: a single CA can serve several RAs.
In RA mode,
step-ca can peer with two kinds of upstream CA: A
step-ca instance, or a Google CloudCAS authority.
See the Registration Authority (RA) Mode section of our Configuration Guide for more on RA mode.
Sometimes it's useful to access a local CA offline, without running the
For this purpose, the
step CLI can be used in offline mode (with the
Offline mode uses the configuration, database, certificates, and keys of an existing
This table shows some of the feature differences between an online
step CLI in offline mode, and the
step certificate subcommand.
Let's create a certificate without
$ step ca init --name "Local CA" --provisioner admin --dns localhost --address ":443" $ step ca certificate --offline foo.smallstep.com foo.crt foo.key