#1
step-ca
step-ca is a private CA and ACME server for issuing and automating X.509 TLS and SSH certificates, enabling short-lived credentials and secure enrollment for teams.
step-ca is an online private certificate authority for issuing and managing X.509 (TLS) and SSH certificates. It is designed for automated certificate lifecycle management in DevOps environments, including short-lived certificates and multiple enrollment options.
Key Features
- Private ACMEv2 server for automated TLS certificate issuance and renewal
- Issues X.509 server and client certificates (configurable key types and lifetimes)
- SSH certificate authority for user and host certificates
- Multiple provisioning methods, including ACME challenges, OIDC/OAuth tokens, cloud instance identity documents, and JWK-based bootstrapping
- Supports operating as an intermediate CA under an existing root CA
- Pluggable database backends for CA state (including embedded and SQL options)
Use Cases
- Automate internal TLS for services, APIs, containers, and Kubernetes workloads
- Replace static SSH keys with short-lived SSH certificates tied to SSO
- Run a private ACME service for development, staging, and internal production environments
Limitations and Considerations
- Some enterprise PKI features (for example full HA at very high volume, advanced revocation services, or a web admin UI) may require additional tooling or a commercial offering
step-ca is a strong choice for teams that need a flexible private CA with ACME automation and SSH certificate support. It helps standardize identity and trust across infrastructure while reducing manual certificate handling.
8kstars
520forks