This project is a public key infrastructure management system designed to automate the issuance, renewal, and revocation of X.509, TLS, and SSH certificates. It functions as a machine identity provider and certificate authority, enabling the establishment of private PKI to secure inter-service communication and remote access. The system distinguishes itself through hardware-bound identity attestation, which ties cryptographic keys to physical device silicon or TPMs to prevent credential exfiltration. It supports a wide array of identity verification mechanisms, including OIDC, cloud-provider
This project is a toolkit for creating and managing X.509 certificate authorities, providing tools for the issuance, signing, and management of TLS certificates and private keys. It includes a command-line utility for generating certificate signing requests, bundling certificate chains, and parsing PEM or DER files. The system features an HTTP API server that allows for remote signing and verification of certificates using JSON requests and responses. This architecture supports automated certificate provisioning and includes a signing proxy to forward requests to remote backend services. The
This project is a Kubernetes controller that automates the issuance, renewal, and lifecycle management of TLS certificates. It functions as a native extension to the cluster API, using custom resource definitions and reconciliation loops to maintain the desired state of certificates and trust bundles across distributed services. By integrating directly with the cluster's admission control and secret storage systems, it ensures that cryptographic identities are consistently provisioned and available for application workloads. The project distinguishes itself through its extensive support for a
Certd is a self-hosted platform that automates the full lifecycle of SSL certificates using the ACME protocol. It handles certificate application, renewal, and deployment across multiple domains through a pipeline-driven workflow engine, with DNS challenge orchestration and multi-cloud deployment capabilities. The platform distinguishes itself through its configurable pipeline system, which allows users to build multi-step workflows that can pass outputs between tasks, execute custom scripts, and handle errors. It supports multi-tenant access control with role-based permissions, encrypted cre
This project is a command-line tool for managing public key infrastructure and digital identities. It provides a comprehensive suite for X.509 certificate lifecycle management, including the generation, signing, renewal, and revocation of certificates and signing requests.
The main features of smallstep/cli are: Certificate Lifecycle Management, X.509 Management Utilities, Public Key Infrastructure, ACME Certificate Provisioners, ACME Clients, Asymmetric Key Generators, Certificate Authorities, Certificate Automation Protocols.
Open-source alternatives to smallstep/cli include: smallstep/certificates — This project is a public key infrastructure management system designed to automate the issuance, renewal, and… cloudflare/cfssl — This project is a toolkit for creating and managing X.509 certificate authorities, providing tools for the issuance,… cert-manager/cert-manager — This project is a Kubernetes controller that automates the issuance, renewal, and lifecycle management of TLS… certd/certd — Certd is a self-hosted platform that automates the full lifecycle of SSL certificates using the ACME protocol. It… openvpn/easy-rsa — Easy-RSA is a shell-based utility designed to automate the creation and management of a public key infrastructure. It… digitalbazaar/forge — Forge is a JavaScript cryptography library providing a comprehensive set of tools for symmetric and asymmetric…