CLMOpen source · Apache-2.0
step-ca
By Smallstep
An open-source, self-hosted private certificate authority for issuing X.509 and SSH certificates, with a built-in ACME server so internal services can request and renew their own certificates automatically. Driven by the companion step command-line tool; Smallstep sells a hosted Certificate Manager built on the same engine for teams that don't want to run the CA themselves.
Verified Source: 1
- Product type
- Software
- Deployment
- CLIOn-premHybrid
- Organization size
- IndividualSMBMid-market
- Pricing tier
- Free
Capability checklist
CLMHow step-ca measures up against the full Certificate Lifecycle Management taxonomy.
- Certificate discovery & inventory — not supported
- Finds every certificate across on-prem, cloud, and Kubernetes environments — including unknown, expired, and shadow certificates nobody was tracking.
- Automated issuance & renewal — supported
- Issues and renews certificates automatically through ACME and direct CA integrations, so nothing depends on someone remembering to do it by hand.
- Expiry monitoring & alerting — not supported
- Watches expiration dates across the whole estate and alerts owners well before a certificate lapses and causes an outage.
- Private CA & internal PKI — supported
- Runs internal certificate authorities and PKI to issue the private certificates that secure machine-to-machine and internal service traffic.
- Deployment integrations — not supported
- Pushes issued certificates directly into load balancers, Kubernetes, MDM, and web servers instead of leaving admins to install them by hand.
- Crypto-agility & rotation — not supported
- Inventories the algorithms and keys in use and rotates them at scale, including preparing for the migration to post-quantum cryptography.
Alternatives
Other Certificate Lifecycle Management tools with overlapping capabilities, sized for similar teams.