Cyber Tool Stack
All tools
CLMOpen source · Apache-2.0

step-ca

By Smallstep

An open-source, self-hosted private certificate authority for issuing X.509 and SSH certificates, with a built-in ACME server so internal services can request and renew their own certificates automatically. Driven by the companion step command-line tool; Smallstep sells a hosted Certificate Manager built on the same engine for teams that don't want to run the CA themselves.

Verified Source: 1

Product type
Software
Deployment
CLIOn-premHybrid
Organization size
IndividualSMBMid-market
Pricing tier
Free

Capability checklist

CLM

How step-ca measures up against the full Certificate Lifecycle Management taxonomy.

Certificate discovery & inventory — not supported
Finds every certificate across on-prem, cloud, and Kubernetes environments — including unknown, expired, and shadow certificates nobody was tracking.
Automated issuance & renewal — supported
Issues and renews certificates automatically through ACME and direct CA integrations, so nothing depends on someone remembering to do it by hand.
Expiry monitoring & alerting — not supported
Watches expiration dates across the whole estate and alerts owners well before a certificate lapses and causes an outage.
Private CA & internal PKI — supported
Runs internal certificate authorities and PKI to issue the private certificates that secure machine-to-machine and internal service traffic.
Deployment integrations — not supported
Pushes issued certificates directly into load balancers, Kubernetes, MDM, and web servers instead of leaving admins to install them by hand.
Crypto-agility & rotation — not supported
Inventories the algorithms and keys in use and rotates them at scale, including preparing for the migration to post-quantum cryptography.

Alternatives

Other Certificate Lifecycle Management tools with overlapping capabilities, sized for similar teams.

Search Cyber Tool Stack

Jump to any tool, vendor, category, or glossary term.