Integrations
step-ca integrates with a number of different protocols and platforms. Many
of these integrations are native to step-ca (like support for ACME
and OIDC), while others require additional tools from the smallstep
library (e.g. autocert).
This document lists, briefly describes, and links to documentation for all
step-ca integrations.
- Protocols and Platforms
- Cryptographic Protection
Protocols and Platforms
ACME
Both step and step-ca are natively integrated with the ACME protocol. step
can be used to request ACME certificates from any ACME server, while step-ca
is a fully functional private ACME server that works with all popular ACME clients.
Learn more about how to setup your own private ACME server and configure popular ACME clients to use that server.
SCEP
The step-ca server includes support for certificate enrollment using the SCEP protocol. See our SCEP provisioner documentation for details.
OIDC
Both step and step-ca natively support working with and issuing
credentials in exchange for OIDC tokens.
Learn more about how to configure an OIDC provisioner.
Cloud Instance Identity
Cloud Instance Identity Documents (IIDs) are cryptographically signed blobs of information about a host that are often used by workloads to authenticate one another across one's infrastructure.
Both step and step-ca natively support working with and issuing
credentials in exchange for IIDs from AWS, GCP, and Azure.
Learn more about how to configure a cloud identity document provisioner.
Kubernetes
The popular cert-manager Kubernetes add-on brings X.509 certificate automation to k8s, for both Ingress TLS certificates and service-to-service or intra-service TLS certificates.
We have two integration options with cert-manager:
- Our open source
step-issueris acert-managerIssuer that integrates withstep-ca. - Or, if you want a pure ACME solution, you can configure
cert-manager's ACME Issuer to usestep-ca.
autocert is our k8s add-on that automatically injects TLS/HTTPS certificates into your containers. It is a simple admission controller that modifies a Deployment to inject a new Pod that generates and renews the Pod's certificate. It's not designed to support k8s Ingresses. Learn more about how to install and configure autocert.
Nebula
The Nebula networking service supports encrypted overlay networks. Nebula uses certificates to authenticate clients joining the network. Nebula has its own custom certificate format (it's not X.509).
step-ca has a Nebula provisioner that can exchange Nebula host certificates issued by your Nebula CA for TLS or SSH certificates that have the same SANs or principals. Use this provisioner to simplify host enrollment on a Nebula network.
Envoy Secret Discovery Service (SDS)
step-sds implements the server-side API of Envoy SDS, which
pushes certificates to the client. Both mTLS and Unix Domain Socket
configurations are supported.
Learn more about how to install and configure step-sds.
Cryptographic Protection
Cloud Key Management Services
Cloud Key Management Services allow users to store cryptographic keys and sign certificates using cloud storage and APIs. Integrations with Google Cloud KMS, Amazon AWS KMS, and Azure Key Vault are currently supported. Learn more.
YubiKey PIV
Want to store your CA locally on a YubiKey? step-ca supports the YubiKey PIV application.
Learn more.
TPM 2.0
step-ca supports storing your CA in a hardware Trusted Platform Module (TPM 2.0)
Learn more.
PKCS#11 HSMs
step-ca supports PKCS#11 hardware security modules (HSMs).
Learn more.
Introducing
Device Identity
Ensure that only company-owned devices can access your enterprise's most sensitive resources.
