All About TPMs
By Carl Tashian
Let's explore the Trusted Platform Module (TPM), a standardized crypto processor chip that has recently become ubiquitous in our devices.
Read More >
Access your homelab from anywhere with a YubiKey and mutual TLS
By Carl Tashian
By combining YubiKey’s smart card support with mutual TLS client certificates, hardware-bound private keys, and device attestation, you can expose your homelab to the internet in a way that carries very low security risk.
Read More >
Secretless TLS client certificates in GitHub Actions
By Carl Tashian
With GitHub Actions OIDC tokens and Smallstep Certificate Manager, you can access protected internal resources like cloud services, databases, websites, or Kubernetes clusters using short-lived TLS certificates and no hard-coded secrets!
Read More >
ACME Device Attestation Explained
By Carl Tashian
The shift from SCEP to ACME device attestation is a boon for endpoint security.
Read More >
Managed Device Attestation: ACME as the Bottom Turtle in Mobile Device Management
By Herman Slatman
Have you ever wondered how to securely enroll a brand new phone or laptop onto your network and with your PKI? In this post we describe ACME Device Attestation, which uses a strong cryptographic proof of identity to request a client certificate from an internal PKI. It is set to replace SCEP as the premier method for enrolling with a CA. We’re very excited about it, and you should be too.
Read More >
Making our toolchain work on the web using WebAssembly
By Herman Slatman
WebAssembly is a great technology for porting existing applications to run on a web page. Read along to learn what we had to do to compile our step toolchain to WebAssembly and make it usable on the web.
Read More >
How to use ACME to authenticate to AWS
By Carl Tashian
Stop managing and rotating AWS IAM credentials in your workloads. IAM now lets you delegate AWS authentication to an ACME Certificate Authority.
Read More >
The magic of systemd-creds
By Carl Tashian
With systemd-creds, hardware-protected secrets just got a lot easier in Linux
Read More >
Leverage Zero Trust for your Kubernetes Ingress Controllers
By J. Hunter Hawke
Managing Kubernetes is hard. Securing Kubernetes workloads is hard. Here's my journey into making it easier to use Kubernetes TLS.
Read More >
If OpenSSL were a GUI
By Carl Tashian
What if OpenSSL were a GUI program? Here's what it might look like.
Read More >
Automatic TLS in Kubernetes The Hard Way
By Carl Tashian
We integrated the Smallstep toolchain into Kelsey Hightower's excellent tutorial, Kubernetes The Hard Way.
Read More >
Automating TLS certificate management in Docker
By Carl Tashian
We researched how dozens of Docker services handle TLS certificates, and developed a few patterns for automating certificate management in container environments.
Read More >
Securing MongoDB With TLS (Part 1 of 3)
By Carl Tashian
Part one of a three part series on securing MongoDB with TLS: How to set up a Certificate Authority for MongoDB servers and clients.
Read More >
Securing MongoDB With TLS (Part 2 of 3)
By Carl Tashian
Part two of a three part series on securing MongoDB with TLS: Configuring MongoDB with server and client TLS validation.
Read More >
Securing MongoDB With TLS (Part 3 of 3)
By Carl Tashian
The last in a three part series on securing MongoDB: Setting up a cluster TLS with X509 user authentication.
Read More >
New Release of Smallstep ACME RA: Automating internal TLS with ACME + Google CAS
By Carl Tashian
We're excited to announce a new release of our HSM-backed cloud ACME server, the Smallstep ACME Registration Authority for Google CA Services.
Read More >
Securing Istio and Kubernetes With a Private Certificate Authority
By Kevin Chen
A step-by-step guide to securing Istio and Kubernetes workloads using an open-source private certificate authority.
Read More >
Grafana for homelab monitoring—with mTLS!
By Carl Tashian
We set up mutual TLS between five services for secure homelab monitoring with Grafana, Prometheus, Loki, Promtail, and node_exporter.
Read More >
How to Handle Secrets on the Command Line
By Carl Tashian
How to keep secret credentials safe on the command line.
Read More >
How to use step-ca with Hardware Security Modules (HSMs)
By Carl Tashian
How to use a PKCS #11 HSM with step-ca to protect your private keys
Read More >
Build a Tiny Certificate Authority For Your Homelab
By Carl Tashian
Let's make a tiny, standalone CA! We'll use a Raspberry Pi 4, YubiKey 5 NFC, and Infinite Noise TRNG.
Read More >
The Embarrassing State of Enterprise ACME Support
By Carl Tashian
ACME is a great protocol for internal certificate management, but enterprise software is not yet ready.
Read More >
Clever Uses of SSH Certificate Templates
By Carl Tashian
We added SSH certificate templates to step-ca, and it opened up some unexpected opportunities.
Read More >
Introducing Smallstep ACME RA: Automating internal TLS with ACME + Google CAS
By Carl Tashian
We're excited to announce our new HSM-backed cloud ACME server, the Smallstep ACME Registration Authority for Google CA Services.
Read More >
Announcing X.509 Certificate Flexibility
By Carl Tashian
We've added X.509 certificate templates to Step Certificates
Read More >
DIY SSH Bastion Host
By Carl Tashian
How to create and deploy a simple and minimal bastion host on Ubuntu 20.04 LTS.
Read More >
SSH Emergency Access
By Carl Tashian
Learn how to prepare for emergency access to your SSH hosts.
Read More >
The Poetics of CLI Command Names
By Carl Tashian
Naming a CLI command requires deep and careful deliberation.
Read More >
SSH Agent Explained
By Carl Tashian
The SSH agent acts behind the scenes to keep you safe. Here's how it works.
Read More >
SSH Tips & Tricks
By Carl Tashian
A few of our favorite SSH tricks and tips sure to improve your daily experience.
Read More >
DIY Single Sign-On for SSH
By Carl Tashian
Let's set up Google SSO for SSH! We’ll use OpenID Connect (OIDC), SSH certificates, a clever SSH configuration tweak, and Smallstep’s open source packages.
Read More >
Embarrassingly easy private certificate management for VMs on AWS, GCP, and Azure
By Mike Malone
step and step-ca (v0.11.0) adds support for cloud instance identity documents (IIDs), making it embarrassingly easy to get certificates to workloads running on public cloud virtual machines (VMs). This post introduces IID-based authentication with step and step-ca, and notes some interesting architectural and security details.
Read More >
Run your own private CA & ACME server using step-ca
By Mike Maxey
With today's release (v0.13.0), you can now use ACME to get certificates from step-ca. ACME (RFC8555) is the protocol that Let's Encrypt uses to automate certificate management for websites. ACME radically simplifies the deployment of TLS and HTTPS by letting you obtain certificates automatically, without human interaction.
Read More >
If you’re not using SSH certificates you’re doing SSH wrong
By Mike Malone
SSH has some pretty gnarly issues when it comes to usability, operability, and security. The good news is this is all easy to fix. SSH is ubiquitous. It’s the de-facto solution for remote administration of *nix systems. SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.
Read More >
Good certificates die young: what's passive revocation and how is it implemented?
By Mike Malone
If you're a normal human person you probably don't think much about certificate revocation. This post will help you justify your apathy. It will explain why your indifference is, in fact, the technically correct attitude to have regarding this particular detail of your system's security architecture.
Read More >
Step v0.9.0: Curl mTLS services with SSO certificates via OAuth OpenID Connect
By Max Furman
Introducing step v0.9.0: Most enterprise IAM systems expose OpenID Connect (a suite of single-sign-on protocols that allow the creation of accounts and login into third party applications using a single account per user identity). In step v0.9.0 you can now leverage OpenID Connect to authenticate with step certificates to make issuance of personal certificates simple.
Read More >
Step v0.8.6: Bring development closer to production with valid HTTPS certificates
By Sebastian Tiedtke
Almost 80% of web page loads now use TLS. But almost no one uses TLS in development and pre-production. Why? Because it's hard. That sucks. When dev and staging don't match prod, bad things happen. Today's step release, version 0.8.6, makes using TLS in dev & pre-prod environments a whole lot easier.
Read More >
Step v0.8.3: Federation and Root Rotation for step Certificates
By Sebastian Tiedtke
The purpose of federation is to allow for secure communication across autonomous systems (e.g., across clouds or between kubernetes clusters). In this post, we’ll take a closer look into how federation works and how the step toolkit expands robust identity bootstrapping beyond a single Kubernetes cluster, cloud, or VM without getting bogged down by operational challenges.
Read More >
Everything you should know about certificates and PKI but are too afraid to ask
By Mike Malone
Certificates and public key infrastructure (PKI) are hard. No shit, right? I know a lot of smart people who''ve avoided this particular rabbit hole. Eventually, I was forced to learn this stuff because of what it enables: PKI lets you define a system cryptographically. It''s universal and vendor-neutral yet poorly documented. This is the missing manual.
Read More >
Introducing step Certificates, secure, automated certificate management
By Mike Malone
Introducing step Certificates, an open-source project that makes secure automated certificate management easy, so you can use TLS and easily access anything, running anywhere, from everywhere. But step certificates is more than a certificate authority. It provides all the missing bits you need to run your own internal public key infrastructure (PKI).
Read More >