Hashicorp Vault vs Smallstep Certificate Manager
Looking for automated certificate management for all your internal workloads and developers? Wondering how the offerings stack up? Below is an overview of Hashicorp Vault capabilities and a side-by-side comparison to Smallstep Certificate Manager.
Overview of capabilities
Hashicorp Vault is a great secrets management product that includes some PKI functionality. It a good option if you are already using Vault and have simple PKI needs. However, it defaults to a centralized security model (just like secrets) where client certificates are generated server-side. This approach can help with some workflows, but it does require you to copy the private key over the network to a client. Vault also gets pretty expensive to license when you want to do things like securing the private keys in an HSM or run a highly available cluster (although the new hosted Vault offering may help here).
From a technology perspective, Vault’s primary deficiencies are around certificate management. It lacks many automated authorization methods, thus requiring operators to spend time creating certificates. Because of the manual nature of certificate creation, longer expiry times are used, increasing the threat window. With smallstep, we provide end-to-end certificate management for developers and operators. We automate the lifecycle and reduce certificate lifetimes allowing your developers to move quickly and securely.
Detailed comparison
| Category | Item | Certificate Manager | HashiCorp Vault |
|---|---|---|---|
| General | Form Factor | SaaS or On-Premise | On-Premise |
| General | Managed By | Smallstep | Customer |
| General | Administration | UI / CLI | UI / CLI |
| General | Highly-available Certificate Authority | $$$ | |
| General | Short-lived certificates with automated renewal | ||
| General | Private keys in cloud KMS | ||
| General | Private Keys in dedicated in HSM | ||
| General | Open source certificate authority | ||
| General | Cloud managed, on-prem signing CA | ||
| General | Run anywhere Registration Authority | ||
| Authenticated Issuance | Authenticated certificate issuance | ||
| Authenticated Issuance | ACME DNS, HTTP, ALPN, IP, and EAB challenges | ||
| Authenticated Issuance | OIDC - bind user email to SAN/name for developer access | ||
| Authenticated Issuance | OIDC - Admin user create any SAN/name for custom certificate | ||
| Authenticated Issuance | OIDC - SSO identity token or device auth grant workflows | ||
| Authenticated Issuance | AWS, GCP, Azure instance identity docs for cloud infrastructure | ||
| Authenticated Issuance | Existing valid certificate for derived credentials | ||
| Authenticated Issuance | JWK for password, one-time token, or multi-use token authentication | ||
| Authenticated Issuance | API for a certificate | ||
| Authenticated Issuance | Issue cert via UI | Coming Soon | |
| Authorize & Customize | Templatized customization of certificates | ? | |
| Authorize & Customize | Template customization - UI | Coming Soon | ? |
| Authorize & Customize | Template customization - CLI | ? | |
| Authorize & Customize | Inventories - metadata enrichment or access control | Coming Soon | |
| Authorize & Customize | Use metadata to authorize certificate issuance | Coming Soon | |
| Authorize & Customize | Enrich CSR metadata with 3rd party directory | Coming Soon | |
| Authorize & Customize | Name constraints on Authority | ||
| Authorize & Customize | Allow / deny lists on provisioners | ||
| Observability | Issued certificates details in UI | ||
| Observability | Expiry events via webhook event | ? | |
| Observability | Expiry events via email | ? | |
| Observability | Export to webhook / SIEM | ? | |
| Observability | Ability to renew certificate | ? | |
| Renewal | single command renewal | ||
| Renewal | SystemD timers | ||
| Renewal | Stand-alone daemon | ||
| Renewal | Cron Jobs | ||
| Renewal | ACME Challenges | ||
| Renewal | OIDC - Single Sign-on flow | ||
| Renewal | Configuration Management | ||
| Renewal | API for renewal | ||
| Renewal | Renew after expiry | ||
| Renewal | Manual renewal by Admin | ||
| Revocation | Passive Revocation | ||
| Revocation | Active Revocation - CRL | ||
| Revocation | Active Revocation - OCSP | ||
| Revocation | Validation Authority |
Data as of July 1st, 2021
Create your private hosted Certificate Authority in less than five minutes