• Stars
    star
    6,457
  • Rank 6,152 (Top 0.2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 6 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

๐Ÿ›ก๏ธ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

Step Certificates

step-ca is an online certificate authority for secure, automated certificate management. It's the server counterpart to the step CLI tool.

You can use it to:

  • Issue X.509 certificates for your internal infrastructure:
    • HTTPS certificates that work in browsers (RFC5280 and CA/Browser Forum compliance)
    • TLS certificates for VMs, containers, APIs, mobile clients, database connections, printers, wifi networks, toaster ovens...
    • Client certificates to enable mutual TLS (mTLS) in your infra. mTLS is an optional feature in TLS where both client and server authenticate each other. Why add the complexity of a VPN when you can safely use mTLS over the public internet?
  • Issue SSH certificates:
    • For people, in exchange for single sign-on ID tokens
    • For hosts, in exchange for cloud instance identity documents
  • Easily automate certificate management:

Whatever your use case, step-ca is easy to use and hard to misuse, thanks to safe, sane defaults.


Don't want to run your own CA? To get up and running quickly, or as an alternative to running your own step-ca server, consider creating a free hosted smallstep Certificate Manager authority.


Questions? Find us in Discussions or Join our Discord.

Website | Documentation | Installation | Getting Started | Contributor's Guide

GitHub release Go Report Card Build Status License CLA assistant

GitHub stars Twitter followers

star us

Features

๐Ÿฆพ A fast, stable, flexible private CA

Setting up a public key infrastructure (PKI) is out of reach for many small teams. step-ca makes it easier.

โš™๏ธ Many ways to automate

There are several ways to authorize a request with the CA and establish a chain of trust that suits your flow.

You can issue certificates in exchange for:

๐Ÿ” Your own private ACME server

ACME is the protocol used by Let's Encrypt to automate the issuance of HTTPS certificates. It's super easy to issue certificates to any ACMEv2 (RFC8555) client.

๐Ÿ‘ฉ๐Ÿฝโ€๐Ÿ’ป An online SSH Certificate Authority

  • Delegate SSH authentication to step-ca by using SSH certificates instead of public keys and authorized_keys files
  • For user certificates, connect SSH to your single sign-on provider, to improve security with short-lived certificates and MFA (or other security policies) via any OAuth OIDC provider.
  • For host certificates, improve security, eliminate TOFU warnings, and set up automated host certificate renewal.

๐Ÿค“ A general purpose PKI tool, via step CLI integration

Installation

See our installation docs here.

Documentation

Documentation can be found in a handful of different places:

  1. On the web at https://smallstep.com/docs/step-ca.

  2. On the command line with step help ca xxx where xxx is the subcommand you are interested in. Ex: step help ca provisioner list.

  3. In your browser, by running step help --http=:8080 ca from the command line and visiting http://localhost:8080.

  4. The docs folder is being deprecated, but it still has some documentation and tutorials.

Feedback?

More Repositories

1

cli

๐Ÿงฐ A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
Go
3,586
star
2

autocert

โš“ A kubernetes add-on that automatically injects TLS/HTTPS certificates into your containers
Go
687
star
3

step-issuer

โš™๏ธA certificate issuer for cert-manager using step certificates CA
Go
194
star
4

truststore

Package to locally install development certificates
Go
96
star
5

hello-mtls

๐Ÿ‘‹ Docs demonstrating mutual TLS configurations in various technologies
JavaScript
89
star
6

crypto

Crypto is a collection of packages used by Smallstep products
Go
71
star
7

step-sds

๐Ÿ”ญ Secret discovery service (SDS): simplifying certificate management for relying parties (such as Envoy)
Go
68
star
8

helm-charts

Helm packages for Kubernetes
Shell
45
star
9

step-kms-plugin

๐Ÿ” step plugin to manage keys and certificates on a cloud KMSs and HSMs
Go
45
star
10

docker-tls

TLS Certificate Management solutions for common Docker services. Including ACME enrollment, renewal, and reloading. Works with smallstep/certificates.
Shell
45
star
11

step-ssh-example

An example of how to leverage `step ssh` to achieve Single Sign-On for SSH
Shell
43
star
12

nosql

NoSQL is an abstraction layer for data persistency
Go
20
star
13

scep

Go SCEP server
Go
17
star
14

docs

๐Ÿ“– Documentation for Smallstep open source tools and products served at https://smallstep.com/docs
MDX
15
star
15

pkcs11-key-wrap

๐Ÿ” Wrap keys from HSM using CKM_RSA_AES_KEY_WRAP step by step
Go
13
star
16

clients

Various client examples for getting TLS certificates from a Smallstep CA server
Python
13
star
17

mongo-tls

Complete setups for MongoDB single-node TLS, cluster TLS, and X.509 user authentication, using the step-ca online Certificate Authority.
Shell
12
star
18

docs-old

DO NOT USE. See: https://github.com/smallstep/docs
11
star
19

cli-utils

Common code between step and step-ca
Go
10
star
20

step-aws-emojivoto

Self-service proof of concept securing microservices with step on AWS
Puppet
7
star
21

logging

Log with confidence
Go
7
star
22

homebrew-smallstep

formulas for building and installing packages via homebrew
Ruby
7
star
23

webhooks

Example server implementation for step-ca webhooks
Go
6
star
24

terraform-provider-smallstep

Go
6
star
25

butane-smallstep-acme-ra

Butane smallstep ACME RA for Fedora CoreOS
Jinja
5
star
26

scoop-bucket

๐Ÿชฃ Scoop bucket for Smallstep open source projects
4
star
27

ansible-collection-sigstore

An Ansible collection for using Sigstore to verify file signatures
Python
4
star
28

action-install-step-cli

A GitHub Action to install step CLI on Linux and MacOS.
3
star
29

linkedca

๐Ÿคตโ€โ™‚๏ธSupport for Linked CAs using protocol buffers and gRPC
Go
3
star
30

qb

Just a simple SQL query builder
Go
3
star
31

ansible-collection-agent

An Ansible Collection for installing the smallstep agent
Python
2
star
32

action-smallstep-ca-bootstrap

A GitHub Action to bootstraps your CA on your GitHub Action runs with step CLI
2
star
33

go-grpc-example

An example of using TLS with gRPC in Go
Go
2
star
34

tls-probe

Shell
2
star
35

docker-ca-trust

Dockerfiles that bootstrap with an internal X.509 Certificate Authority
2
star
36

run-anywhere-terraform

Terraform modules to set up the base resources required by a run anywhere on-premise installation.
Python
2
star
37

smallstep-python

A Python client library for the Smallstep API
Python
2
star
38

ansible-collection-cli

An Ansible collection for installing step CLI
2
star
39

aur-step-ca-bin

Shell
1
star
40

workflows

1
star
41

sshutil

๐Ÿคซ ๐Ÿงฑ a not-so-secret SSH client & server utility module.
Go
1
star
42

smallstep-desktop

1
star
43

step-agent-plugin

1
star
44

assert

A simple assertion framework for Go
Go
1
star
45

analyze-step-ca-db

Unofficial helpers for analyzing the step-ca database
Go
1
star
46

aur-step-cli-bin

Shell
1
star
47

sequel

Go
1
star