Integrations

step-ca integrates with a number of different protocols and platforms. Many of these integrations are native to step-ca (like support for ACME and OIDC), while others require additional tools from the smallstep library (e.g. autocert).

This document lists, briefly describes, and links to documentation for all step-ca integrations.

• Protocols and Platforms
  • ACME
  • SCEP
  • OIDC
  • Cloud Instance Identity
  • Kubernetes
  • Nebula
  • Envoy Secret Discovery Service
• Cryptographic Protection
  • Cloud Key Management Services
  • YubiKey PIV
  • PKCS#11 HSMs

Both step and step-ca are natively integrated with the ACME protocol. step can be used to request ACME certificates from any ACME server, while step-ca is a fully functional private ACME server that works with all popular ACME clients.

Learn more about how to setup your own private ACME server and configure popular ACME clients to use that server.

The step-ca server includes support for certificate enrollment using the SCEP protocol. See our SCEP provisioner documentation for details.

Both step and step-ca natively support working with and issuing credentials in exchange for OIDC tokens.

Learn more about how to configure an OIDC provisioner.

Cloud Instance Identity Documents (IIDs) are cryptographically signed blobs of information about a host that are often used by workloads to authenticate one another across one's infrastructure.

Both step and step-ca natively support working with and issuing credentials in exchange for IIDs from AWS, GCP, and Azure.

Learn more about how to configure a cloud identity document provisioner.

The popular cert-manager Kubernetes add-on brings X.509 certificate automation to k8s, for both Ingress TLS certificates and service-to-service or intra-service TLS certificates.

We have two integration options with cert-manager:

• Our open source step-issuer is a cert-manager Issuer that integrates with step-ca.
• Or, if you want a pure ACME solution, you can configure cert-manager's ACME Issuer to use step-ca.

autocert is our k8s add-on that automatically injects TLS/HTTPS certificates into your containers. It is a simple admission controller that modifies a Deployment to inject a new Pod that generates and renews the Pod's certificate. It's not designed to support k8s Ingresses. Learn more about how to install and configure autocert.

The Nebula networking service supports encrypted overlay networks. Nebula uses certificates to authenticate clients joining the network. Nebula has its own custom certificate format (it's not X.509).

step-ca has a Nebula provisioner that can exchange Nebula host certificates issued by your Nebula CA for TLS or SSH certificates that have the same SANs or principals. Use this provisioner to simplify host enrollment on a Nebula network.

step-sds implements the server-side API of Envoy SDS, which pushes certificates to the client. Both mTLS and Unix Domain Socket configurations are supported.

Learn more about how to install and configure step-sds.

Cloud Key Management Services allow users to store cryptographic keys and sign certificates using cloud storage and APIs. Integrations with Google Cloud KMS, Amazon AWS KMS, and Azure Key Vault are currently supported. Learn more.

Want to store your CA locally on a YubiKey? step-ca supports the YubiKey PIV application. Learn more.

step-ca supports storing your CA in a hardware Trusted Platform Module (TPM 2.0) Learn more.

step-ca supports PKCS#11 hardware security modules (HSMs). Learn more.