Hashicorp Vault vs Smallstep Certificate Manager

Looking for automated certificate management for all your internal workloads and developers? Wondering how the offerings stack up? Below is an overview of Hashicorp Vault capabilities and a side-by-side comparison to Smallstep Certificate Manager.

Create an authority

Overview of capabilities

Hashicorp Vault is a great secrets management product that includes some PKI functionality. It a good option if you are already using Vault and have simple PKI needs. However, it defaults to a centralized security model (just like secrets) where client certificates are generated server-side. This approach can help with some workflows, but it does require you to copy the private key over the network to a client. Vault also gets pretty expensive to license when you want to do things like securing the private keys in an HSM or run a highly available cluster (although the new hosted Vault offering may help here).

From a technology perspective, Vault’s primary deficiencies are around certificate management. It lacks many automated authorization methods, thus requiring operators to spend time creating certificates. Because of the manual nature of certificate creation, longer expiry times are used, increasing the threat window. With smallstep, we provide end-to-end certificate management for developers and operators. We automate the lifecycle and reduce certificate lifetimes allowing your developers to move quickly and securely.

Detailed comparison

CategoryItemCertificate ManagerHashiCorp Vault
GeneralForm FactorSaaS or On-PremiseOn-Premise
GeneralManaged BySmallstepCustomer
GeneralAdministrationUI / CLIUI / CLI
GeneralHighly-available Certificate Authority$$$
GeneralShort-lived certificates with automated renewal
GeneralPrivate keys in cloud KMS
GeneralPrivate Keys in dedicated in HSM
GeneralOpen source certificate authority
GeneralCloud managed, on-prem signing CA
GeneralRun anywhere Registration Authority
Authenticated IssuanceAuthenticated certificate issuance
Authenticated IssuanceACME DNS, HTTP, ALPN, IP, and EAB challenges
Authenticated IssuanceOIDC - bind user email to SAN/name for developer access
Authenticated IssuanceOIDC - Admin user create any SAN/name for custom certificate
Authenticated IssuanceOIDC - SSO identity token or device auth grant workflows
Authenticated IssuanceAWS, GCP, Azure instance identity docs for cloud infrastructure
Authenticated IssuanceExisting valid certificate for derived credentials
Authenticated IssuanceJWK for password, one-time token, or multi-use token authentication
Authenticated IssuanceAPI for a certificate
Authenticated IssuanceIssue cert via UIComing Soon
Authorize & CustomizeTemplatized customization of certificates?
Authorize & CustomizeTemplate customization - UIComing Soon?
Authorize & CustomizeTemplate customization - CLI?
Authorize & CustomizeInventories - metadata enrichment or access controlComing Soon
Authorize & CustomizeUse metadata to authorize certificate issuanceComing Soon
Authorize & CustomizeEnrich CSR metadata with 3rd party directoryComing Soon
Authorize & CustomizeName constraints on Authority
Authorize & CustomizeAllow / deny lists on provisioners
ObservabilityIssued certificates details in UI
ObservabilityExpiry events via webhook event?
ObservabilityExpiry events via email?
ObservabilityExport to webhook / SIEM?
ObservabilityAbility to renew certificate?
Renewalsingle command renewal
RenewalSystemD timers
RenewalStand-alone daemon
RenewalCron Jobs
RenewalACME Challenges
RenewalOIDC - Single Sign-on flow
RenewalConfiguration Management
RenewalAPI for renewal
RenewalRenew after expiry
RenewalManual renewal by Admin
Revocation Passive Revocation
Revocation Active Revocation - CRL
Revocation Active Revocation - OCSP
Revocation Validation Authority

Data as of July 1st, 2021

Smallstep logo

Create your private hosted Certificate Authority in less than five minutes

Sign up