certificates

by smallstep

8.0Kstars

519forks

76watchers

Updated 3 months ago

About

step-ca is a private certificate authority and ACME server enabling secure, automated issuance and management of X.509 and SSH certificates for DevOps environments.

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

Primary Use Case

This tool is designed for DevOps teams and security engineers who need to automate the issuance and management of TLS and SSH certificates within private infrastructures. It facilitates secure communication by providing a private CA that supports HTTPS, SSH single sign-on, and ACME protocols, making it ideal for managing certificates across VMs, containers, APIs, and Kubernetes clusters.

Key Features

Issues HTTPS server and client certificates compliant with RFC5280 and CA/Browser Forum standards
Supports issuance of TLS certificates for various DevOps resources like VMs, containers, APIs, and Kubernetes pods
Issues SSH certificates for users via single sign-on tokens and for hosts using cloud instance identity documents
Acts as an ACME server supporting all popular ACME challenge types for automated certificate management
Provides a Go client wrapper and a CLI tool for scripting and automation
Supports multiple key types including RSA, ECDSA, and EdDSA with configurable lifetimes
Optimized for two-tier PKI setups suitable for common DevOps use cases

Installation

Visit the official documentation at https://smallstep.com/docs/step-ca/installation for detailed installation steps
Download and install the step CLI tool from https://github.com/smallstep/cli
Set up step-ca server following the installation guide to initialize your private CA
Configure step-ca according to your environment requirements (key types, lifetimes, ACME settings)
Use the step CLI or Go wrapper to interact with the step-ca server for certificate issuance and management

Usage

>_ step-ca start

Starts the step-ca server to begin issuing certificates

>_ step ca certificate <name> <cert-file> <key-file>

Issues a new certificate for a given name and saves it to specified files

>_ step ssh certificate <user> <public-key-file> --principal <principal>

Issues an SSH user certificate based on a public key and principal

>_ step ca renew

Renews an existing certificate

>_ step ca revoke <certificate>

Revokes a certificate issued by the CA

>_ step ca provisioner add <name>

Adds a new provisioner for authentication and authorization

Security Frameworks

Defense Evasion

Credential Access

Initial Access

Persistence

Privilege Escalation

Usage Insights

Integrate step-ca with CI/CD pipelines to automate certificate issuance and rotation, reducing attack surface from expired or weak certificates.
Leverage SSH certificate issuance with SSO tokens to centralize and strengthen access control, minimizing risks from stolen static SSH keys.
Use step-ca's ACME server capabilities to automate TLS certificate lifecycle management across ephemeral infrastructure like containers and Kubernetes pods.
Combine step-ca with monitoring tools to detect anomalous certificate issuance patterns as an early indicator of compromise.
Employ step-ca in purple team exercises to simulate credential theft and test detection and response capabilities around certificate-based authentication.