step-ca

step-ca is an online private certificate authority for issuing and managing X.509 (TLS) and SSH certificates. It is designed for automated certificate lifecycle management in DevOps environments, including short-lived certificates and multiple enrollment options.

Key Features

• Private ACMEv2 server for automated TLS certificate issuance and renewal
• Issues X.509 server and client certificates (configurable key types and lifetimes)
• SSH certificate authority for user and host certificates
• Multiple provisioning methods, including ACME challenges, OIDC/OAuth tokens, cloud instance identity documents, and JWK-based bootstrapping
• Supports operating as an intermediate CA under an existing root CA
• Pluggable database backends for CA state (including embedded and SQL options)

Use Cases

• Automate internal TLS for services, APIs, containers, and Kubernetes workloads
• Replace static SSH keys with short-lived SSH certificates tied to SSO
• Run a private ACME service for development, staging, and internal production environments

Limitations and Considerations

• Some enterprise PKI features (for example full HA at very high volume, advanced revocation services, or a web admin UI) may require additional tooling or a commercial offering

step-ca is a strong choice for teams that need a flexible private CA with ACME automation and SSH certificate support. It helps standardize identity and trust across infrastructure while reducing manual certificate handling.