'Provisioners' are crucial to how the Smallstep Platform works, and a faint understanding of what they are and do, is required to effectively use the Smallstep platform and open-source tools to issue and manage certificates.
Read More >
We’ve launched an ACME Registration Authority quickstart guide to help you easily automate certificate issuance and renewal to endpoints within walled-off networks. Read up on Registration Authorities and why may need them.
Read More >
How to use a PKCS #11 HSM with step-ca to protect your private keys
Read More >
Let's make a tiny, standalone CA! We'll use a Raspberry Pi 4, YubiKey 5 NFC, and Infinite Noise TRNG.
Read More >
ACME is a great protocol for internal certificate management, but enterprise software is not yet ready.
Read More >
We added SSH certificate templates to step-ca, and it opened up some unexpected opportunities.
Read More >
We've added X.509 certificate templates to Step Certificates
Read More >
step now supports Microsoft Windows AND step-ca provides first-class support for single sign-on SSH
Read More >
For the pragmatists and learn-by-doing people who want to get up and running quickly, we''ve launched a new interactive onboarding utility. It walks through the process of running a private CA and connecting two systems in your infrastructure.
Read More >
SSH has some pretty gnarly issues when it comes to usability, operability, and security. The good news is this is all easy to fix. SSH is ubiquitous. It’s the de-facto solution for remote administration of *nix systems. SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.
Read More >
No more editing Authorized_keys files for every change in membership and especially no more warnings about “remote host identification changes.
Read More >
The big headline feature for this release is instance identity document support but there are a ton of other small improvements in this release including Helm, key types, self-signed certs, group checks for SSO, email SAN, bundling and other upgrades.
Read More >
If you're a normal human person you probably don't think much about certificate revocation. This post will help you justify your apathy. It will explain why your indifference is, in fact, the technically correct attitude to have regarding this particular detail of your system's security architecture.
Read More >
Introducing step v0.9.0: Most enterprise IAM systems expose OpenID Connect (a suite of single-sign-on protocols that allow the creation of accounts and login into third party applications using a single account per user identity). In step v0.9.0 you can now leverage OpenID Connect to authenticate with step certificates to make issuance of personal certificates simple.
Read More >
Almost 80% of web page loads now use TLS. But almost no one uses TLS in development and pre-production. Why? Because it's hard. That sucks. When dev and staging don't match prod, bad things happen. Today's step release, version 0.8.6, makes using TLS in dev & pre-prod environments a whole lot easier.
Read More >
The purpose of federation is to allow for secure communication across autonomous systems (e.g., across clouds or between kubernetes clusters). In this post, we’ll take a closer look into how federation works and how the step toolkit expands robust identity bootstrapping beyond a single Kubernetes cluster, cloud, or VM without getting bogged down by operational challenges.
Read More >
Certificates and public key infrastructure (PKI) are hard. No shit, right? I know a lot of smart people who''ve avoided this particular rabbit hole. Eventually, I was forced to learn this stuff because of what it enables: PKI lets you define a system cryptographically. It''s universal and vendor-neutral yet poorly documented. This is the missing manual.
Read More >
Introducing step Certificates, an open-source project that makes secure automated certificate management easy, so you can use TLS and easily access anything, running anywhere, from everywhere. But step certificates is more than a certificate authority. It provides all the missing bits you need to run your own internal public key infrastructure (PKI).
Read More >