Welcome to Smallstep Certificate Manager
Mike Maxey
As we were building, people kept showing up and asking for meetings. Most began with, “I’ve been running step-ca
in production for six months now, and I’d like this feature, so that I can go bigger in my environment.” After enough of these user feedback meetings, patterns emerge.
Welcome to Smallstep Certificate Manager
Before we can talk about all that goes into General Availability (GA) of Certificate Manager, it’s important that we look back at the journey to this point.
Our history is open source.
First released in 2018, step
and step-ca
have become the most popular open-source certificate management toolchain. We’ve been focused on automation from the command line from the beginning. Four years ago, our first open-source release introduced a simple command for locally creating a variety of X.509 certificates: step certificate create. When we created the step-ca certificate server, we added the step ca
command group for remote certificate management—including automated renewal—but the simplicity remains.
We’ve poured four years of engineering value into building a modern framework for managing certificates. Much of this focus was building reach and automation with a set of authentication mechanisms we call Provisioners. We added OIDC for humans, cloud identity APIs for VMs, Autocert for Kubernetes, and ACME for everything else. You can authenticate a certificate request using existing X.509 certificates, one-time tokens, passwords, Nebula certificates, and more. This extended set of capabilities provides reach to everything in your infrastructure. All from the command line. All built with sane defaults that make PKI and certificates easy to use and hard to misuse (--force
--insecure
)
What does GA mean?
GA means that Certificate Manager is production-ready for everyone from the homelabber to the largest enterprises. It’s been delivering value to our early adopters for over a year in some of the world's largest and most security-sensitive financial institutions. Working alongside those institutions and other users, we have delivered a strong, full-featured turnkey SaaS product.
At the core of Certificate Manager is step-ca
. Our open-source heritage of automation and simplicity is captured in Certificate Manager, which extends this functionality to provide high availability, audit, endpoint reporting and certificate alerting, a management dashboard, and many PKI-related features (active revocation, ACME EAB, granular access control, …) that can scale to the needs of the largest enterprises. We take all of this and provide it as a SaaS platform that anyone can sign up to start managing endpoints today. No sales calls or demos are required. Our pricing is transparent and includes a calculator to see exactly what it costs to run in production. We even have a free tier for homelabs and smaller teams.
What can I do with it?
Certificates are a fundamental part of any non-trivial architecture. They are used to stand up infrastructure, secure communications between systems, and to authenticate users and devices. Certificates are used in so many places it’s difficult to enumerate the list. We have found the need for certificates varies from one company’s architecture to another, and this is where we bring significant value to security engineers.
We do that through our reach. We can automate across all the variety in your infrastructure. We cover the certificate lifecycle from automatic enrollment based on access control rules to single command certificate renewals. With Certificate Manager, you can feel confident when spinning up new infrastructure that it’s securely enrolled and given a cryptographic identity.
A great example is our ACME protocol support. Invented at Let’s Encrypt and now securing 80% of the public internet, ACME uses a challenge mechanism to automatically authenticate certificate requests. We take all that goodness, layer in advanced access control, and make it available to internal workloads. Because it works with any ACME client, our customers are automating certificates with ACME on Linux and Windows servers, internal websites, workloads, and more (and soon laptops and devices).
Another example is Kubernetes TLS. Certificates are fundamental to standing up a Kubernetes cluster and interacting with/within the cluster. Certificate Manager makes it easy to automate your Kubernetes TLS use cases regardless of what you are looking to achieve.
This automation and reach delivers a catalog of endpoints and a complete list of all the things in your system. This catalog helps drive audit and compliance and is fundamental to operations teams and their function. Importantly, we make this catalog available where you work today with simple integrations into your existing systems like Splunk, Prometheus, Sumo Logic, or any other monitoring or enterprise SIEM solution.
Certificate Manager makes interoperability with legacy PKI dead simple. We support all the required key types and standard PKI functions, including active revocation (CRL/OCSP), HSMs (PKCS11), custom certificate chains anchored to existing roots, and more. We make extending your existing PKI easy, empowering your operations teams to leverage modern protocols and workflows.
Finally, we bring expertise. Not everyone is a PKI expert, and best practices are often difficult to identify. With access to certificate management expertise through detailed documentation, helpful FAQs, support tickets, and live assistance, we give you confidence that what you are building is secure and built to scale.
Where does Smallstep Certificate Manager go from here?
Today is the first step in the Certificate Manager journey. We delivered the core platform to make users successful and are excited to see what you will do with it and where you want to go next. So give Certificate Manager a try today, and let us know your destination.