step-ca
step-ca
step-ca
in a Docker containerstep-ca
step-ca
step-ca
in a Docker containerstep-ca
integrates with a number of different protocols and platforms. Many
of these integrations are native to step-ca
(like support for ACME
and OIDC), while others require additional tools from the smallstep
library (e.g. autocert).
This document lists, briefly describes, and links to documentation for all
step-ca
integrations.
Both step
and step-ca
are natively integrated with the ACME protocol. step
can be used to request ACME certificates from any ACME server, while step-ca
is a fully functional private ACME server that works with all popular ACME clients.
Learn more about how to setup your own private ACME server and configure popular ACME clients to use that server.
The step-ca
server includes support for certificate enrollment using the SCEP protocol. See our SCEP provisioner documentation for details.
Both step
and step-ca
natively support working with and issuing
credentials in exchange for OIDC tokens.
Learn more about how to configure an OIDC provisioner.
Cloud Instance Identity Documents (IIDs) are cryptographically signed blobs of information about a host that are often used by workloads to authenticate one another across one's infrastructure.
Both step
and step-ca
natively support working with and issuing
credentials in exchange for IIDs from AWS, GCP, and Azure.
Learn more about how to configure a cloud identity document provisioner.
The popular cert-manager
Kubernetes add-on brings X.509 certificate automation to k8s, for both Ingress TLS certificates and service-to-service or intra-service TLS certificates.
We have two integration options with cert-manager
:
step-issuer
is a cert-manager
Issuer that integrates with step-ca
.cert-manager
's ACME Issuer to use step-ca
.autocert
is our k8s add-on that automatically injects TLS/HTTPS certificates into your containers. It is a simple admission controller that modifies a Deployment to inject a new Pod that generates and renews the Pod's certificate. It's not designed to support k8s Ingresses. Learn more about how to install and configure autocert
.
The Nebula networking service supports encrypted overlay networks. Nebula uses certificates to authenticate clients joining the network. Nebula has its own custom certificate format (it's not X.509).
step-ca
has a Nebula provisioner that can exchange Nebula host certificates issued by your Nebula CA for TLS or SSH certificates that have the same SANs or principals. Use this provisioner to simplify host enrollment on a Nebula network.
step-sds
implements the server-side API of Envoy SDS, which
pushes certificates to the client. Both mTLS and Unix Domain Socket
configurations are supported.
Learn more about how to install and configure step-sds
.
Cloud Key Management Services allow users to store cryptographic keys and sign certificates using cloud storage and APIs. Integrations with Google Cloud KMS, Amazon AWS KMS, and Azure Key Vault are currently supported. Learn more.
Want to store your CA locally on a YubiKey? step-ca
supports the YubiKey PIV application.
Learn more.
step-ca
supports PKCS#11 hardware security modules (HSMs).
Learn more.
Unsubscribe anytime. See our privacy policy.
© 2023 Smallstep Labs, Inc. All rights reserved.