step-ca integrates with a number of different protocols and platforms. Many of these integrations are native to step-ca (like support for ACME and OIDC), while others require additional tools from the smallstep library (e.g. autocert).

This document lists, briefly describes, and links to documentation for all step-ca integrations.

Protocols and Platforms


Both step and step-ca are natively integrated with the ACME protocol. step can be used to request ACME certificates from any ACME server, while step-ca is a fully functional private ACME server that works with all popular ACME clients.


The step-ca server includes support for certificate enrollment using the SCEP protocol. See our SCEP provisioner documentation for details.


Both step and step-ca natively support working with and issuing credentials in exchange for OIDC tokens.

Learn more about how to configure an OIDC provisioner.

Cloud Instance Identity

Cloud Instance Identity Documents (IIDs) are cryptographically signed blobs of information about a host that are often used by workloads to authenticate one another across one's infrastructure.

Both step and step-ca natively support working with and issuing credentials in exchange for IIDs from AWS, GCP, and Azure.


The popular cert-manager Kubernetes add-on brings X.509 certificate automation to k8s, for both Ingress TLS certificates and service-to-service or intra-service TLS certificates.

We have two integration options with cert-manager:

autocert is our k8s add-on that automatically injects TLS/HTTPS certificates into your containers. It is a simple admission controller that modifies a Deployment to inject a new Pod that generates and renews the Pod's certificate. It's not designed to support k8s Ingresses. Learn more about how to install and configure autocert.


The Nebula networking service supports encrypted overlay networks. Nebula uses certificates to authenticate clients joining the network. Nebula has its own custom certificate format (it's not X.509).

step-ca has a Nebula provisioner that can exchange Nebula host certificates issued by your Nebula CA for TLS or SSH certificates that have the same SANs or principals. Use this provisioner to simplify host enrollment on a Nebula network.

Envoy Secret Discovery Service (SDS)

step-sds implements the server-side API of Envoy SDS, which pushes certificates to the client. Both mTLS and Unix Domain Socket configurations are supported.

Learn more about how to install and configure step-sds.

Cryptographic Protection

Cloud Key Management Services

Cloud Key Management Services allow users to store cryptographic keys and sign certificates using cloud storage and APIs. Integrations with Google Cloud KMS, Amazon AWS KMS, and Azure Key Vault are currently supported. Learn more.

YubiKey PIV

Want to store your CA locally on a YubiKey? step-ca supports the YubiKey PIV application. Learn more.

TPM 2.0

step-ca supports storing your CA in a hardware Trusted Platform Module (TPM 2.0) Learn more.


step-ca supports PKCS#11 hardware security modules (HSMs). Learn more.