explaingit

smallstep/certificates

8,500GoAudience · ops devopsComplexity · 4/5LicenseSetup · hard

TLDR

step-ca is an open-source private certificate authority you run on your own servers to issue HTTPS and SSH certificates to internal services, with ACME support so Nginx and Caddy work automatically.

Mindmap

mindmap
  root((step-ca))
    What it does
      Private CA
      HTTPS certs
      SSH certs
    Auth methods
      ACME challenges
      SSO tokens
      Cloud identity
      Terraform tokens
    Integrations
      Nginx
      Caddy
      Traefik
    Audience
      DevOps teams
      Self-hosters
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Issue HTTPS certificates to internal services like databases and APIs without paying for public certificates or using self-signed certs.

USE CASE 2

Replace manual SSH key management with SSH certificates so user and server access can be granted and revoked centrally.

USE CASE 3

Use ACME protocol support to let Nginx, Caddy, or Traefik automatically renew internal HTTPS certificates the same way they do with Let's Encrypt.

USE CASE 4

Automate certificate issuance for cloud VMs by using AWS or Azure instance identity documents as proof of identity.

Tech stack

Go

Getting it running

Difficulty · hard Time to first run · 1h+

Requires running your own server infrastructure and understanding PKI concepts, SSH certificate setup also requires configuration changes on every target server.

Apache 2.0, use, modify, and distribute freely including in commercial products.

In plain English

step-ca is an open-source tool that lets you run your own private certificate authority. A certificate authority is the system that issues the security certificates websites and internal services use to prove their identity and encrypt their traffic. Instead of relying on a public authority or paying for certificates, you can run step-ca on your own servers and issue certificates to your own infrastructure: web servers, databases, containers, virtual machines, and more. The tool supports two types of certificates. The first is the standard type used for HTTPS and encrypted network connections, which proves that a server is who it claims to be. The second type is for SSH, the protocol developers use to connect remotely to servers. Normally SSH relies on lists of trusted public keys that must be managed manually on each server. With step-ca, you can instead issue SSH certificates to both users and servers, which simplifies access management and makes it easier to revoke access when needed. One of its main features is support for ACME, which is the same automated certificate renewal protocol used by the free public service Let's Encrypt. This means any tool that already knows how to get certificates from Let's Encrypt, including popular web servers and reverse proxies like Nginx, Caddy, Traefik, and Apache, can also get certificates from your private step-ca instance without extra configuration work. Certificates can be issued in exchange for various proof mechanisms depending on your setup: completing an ACME challenge, presenting a single sign-on token from an identity provider like Okta or Google, providing a cloud instance identity document from AWS or Azure, or a token issued by a deployment tool like Terraform or Ansible. step-ca is designed to work alongside the step command-line tool, which handles the client side of requesting and managing certificates. The project is open source under the Apache 2.0 license, and Smallstep also offers a commercial version with additional features such as high availability, a web admin interface, and device identity management.

Copy-paste prompts

Prompt 1
Set up step-ca on Ubuntu to issue internal HTTPS certificates and configure Nginx to auto-renew them using the ACME protocol.
Prompt 2
How do I use step-ca to issue SSH certificates for users and servers so I can revoke access centrally without touching authorized_keys files?
Prompt 3
Configure step-ca to accept Okta SSO tokens as proof of identity when issuing certificates to internal services.
Prompt 4
Walk me through issuing a certificate from step-ca using an AWS EC2 instance identity document as the provisioner.
Prompt 5
How do I set up step-ca so that Caddy automatically gets and renews a certificate from my private CA instead of Let's Encrypt?
Open on GitHub → Explain another repo

← smallstep on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.