certificates
🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
step-ca is an open-source private certificate authority you run on your own servers to issue HTTPS and SSH certificates to internal services, with ACME support so Nginx and Caddy work automatically.
step-ca is an open-source tool that lets you run your own private certificate authority. A certificate authority is the system that issues the security certificates websites and internal services use to prove their identity and encrypt their traffic. Instead of relying on a public authority or paying for certificates, you can run step-ca on your own servers and issue certificates to your own infrastructure: web servers, databases, containers, virtual machines, and more.
The tool supports two types of certificates. The first is the standard type used for HTTPS and encrypted network connections, which proves that a server is who it claims to be. The second type is for SSH, the protocol developers use to connect remotely to servers. Normally SSH relies on lists of trusted public keys that must be managed manually on each server. With step-ca, you can instead issue SSH certificates to both users and servers, which simplifies access management and makes it easier to revoke access when needed.
One of its main features is support for ACME, which is the same automated certificate renewal protocol used by the free public service Let's Encrypt. This means any tool that already knows how to get certificates from Let's Encrypt, including popular web servers and reverse proxies like Nginx, Caddy, Traefik, and Apache, can also get certificates from your private step-ca instance without extra configuration work.
Certificates can be issued in exchange for various proof mechanisms depending on your setup: completing an ACME challenge, presenting a single sign-on token from an identity provider like Okta or Google, providing a cloud instance identity document from AWS or Azure, or a token issued by a deployment tool like Terraform or Ansible.
step-ca is designed to work alongside the step command-line tool, which handles the client side of requesting and managing certificates. The project is open source under the Apache 2.0 license, and Smallstep also offers a commercial version with additional features such as high availability, a web admin interface, and device identity management.
Where it fits
- Issue HTTPS certificates to internal services like databases and APIs without paying for public certificates or using self-signed certs.
- Replace manual SSH key management with SSH certificates so user and server access can be granted and revoked centrally.
- Use ACME protocol support to let Nginx, Caddy, or Traefik automatically renew internal HTTPS certificates the same way they do with Let's Encrypt.
- Automate certificate issuance for cloud VMs by using AWS or Azure instance identity documents as proof of identity.