step-ca is an online certificate authority for secure, automated certificate management. It's the server counterpart to the
step CLI tool.
You can use it to:
Whatever your use case,
step-ca is easy to use and hard to misuse, thanks to safe, sane defaults.
Don't want to run your own CA?
To get up and running quickly, or as an alternative to running your own
step-ca server, consider creating a free hosted smallstep Certificate Manager authority.
Setting up a public key infrastructure (PKI) is out of reach for many small teams.
step-ca makes it easier.
There are several ways to authorize a request with the CA and establish a chain of trust that suits your flow.
You can issue certificates in exchange for:
ACME is the protocol used by Let's Encrypt to automate the issuance of HTTPS certificates. It's super easy to issue certificates to any ACMEv2 (RFC8555) client.
Supports the most popular ACME challenge types:
http-01, place a token at a well-known URL to prove that you control the web server
dns-01, add a
TXTrecord to prove that you control the DNS record set
tls-alpn-01, respond to the challenge at the TLS layer (as Caddy does) to prove that you control the web server
Works with any ACME client. We've written examples for:
Get certificates programmatically using ACME, using these libraries:
step CLI tool is also an ACME client!
See our ACME tutorial for more
step-caby using SSH certificates instead of public keys and
See our installation docs here.
Documentation can be found in a handful of different places:
On the web at https://smallstep.com/docs/step-ca.
On the command line with
step help ca xxx where
xxx is the subcommand
you are interested in. Ex:
step help ca provisioner list.
In your browser, by running
step help --http=:8080 ca from the command line
and visiting http://localhost:8080.
The docs folder is being deprecated, but it still has some documentation and tutorials.