Certificates

This project is a public key infrastructure management system designed to automate the issuance, renewal, and revocation of X.509, TLS, and SSH certificates. It functions as a machine identity provider and certificate authority, enabling the establishment of private PKI to secure inter-service communication and remote access.

The system distinguishes itself through hardware-bound identity attestation, which ties cryptographic keys to physical device silicon or TPMs to prevent credential exfiltration. It supports a wide array of identity verification mechanisms, including OIDC, cloud-provider instance documents, Kubernetes service account tokens, and ACMEv2 compliant challenge mechanisms.

Broad capabilities cover the full certificate lifecycle, from automated enrollment via background agents to the management of short-lived SSH certificates. The platform also includes device inventory tracking, mutual TLS network security, and template-based certificate generation with custom extensions.

Operational management is provided through a dedicated command-line interface for PKI lifecycle tasks and metadata inspection.

Features

Certificate Authorities - Provides a complete system for generating, signing, and managing digital certificates as a certificate authority.

TLS Certificate Management - Automates the issuance of X.509 certificates to establish a private public key infrastructure.

PKI Management - Provides a complete system for managing private public key infrastructure and automating X.509 certificate lifecycles.

ACME Implementations - Implements the ACMEv2 protocol to automate the issuance and renewal of certificates using standard challenge types.

ACME Server Implementations - Hosts a full ACMEv2 compliant server to provide automated HTTPS certificate issuance for clients.

Automated Certificate Management Systems - Provides a comprehensive system for automating the issuance, renewal, and revocation of TLS and mTLS certificates.

Client Certificate Generators - Generates private keys and signed certificates with support for custom validity periods and identity names.

User Certificates - Generates short-lived user certificates to replace static authorized keys files.

Certificate Automation Protocols - Implements standardized challenge-response mechanisms for automated certificate issuance and renewal via the ACME protocol.

Certificate Issuance Policies - Defines issuance policies and manages administrative access to govern the criteria for granting certificates.

Certificate Issuance Utilities - Provides tools for issuing and renewing certificates via an ACMEv2 compliant server.

Ephemeral Certificate Issuance - Rotates short-lived SSH certificates tied to identity providers to eliminate manual key management.

Identity-Based Issuance - Generates short-lived user certificates based on successful authentication from integrated identity providers.

Certificate Lifecycle Management - Provides a CLI to manage the full certificate lifecycle, including issuance, renewal, and revocation.

Certificate Lifecycle Managers - Manages the end-to-end enrollment, renewal, and revocation of certificates via a background agent.

Certificate Renewal Managers - Updates expiring certificates and provides mechanisms to invalidate active certificates to maintain security.

Certificate Revocations - Invalidates active certificates via serial number or key pair to prevent further use of compromised credentials.

Cluster Communication Security - Implements mutual TLS and SSH certificates to encrypt and authenticate communication between workloads.

SSL/TLS Certificate Management - Provides comprehensive tools for creating, revoking, and bundling TLS certificates for network security.

Device Approval Workflows - Tracks approved devices and hardware identifiers to serve as the basis for access policies.

Hardware Identity Attestations - Binds cryptographic keys to physical device silicon or TPMs to prevent credential exfiltration.

Device Identity Management - Uses cryptographic attestation and challenges to ensure only authorized devices receive certificates.

External Identity Provider Integration - Authorizes certificate requests using tokens or identity documents from external third-party providers.

Device Access Policies - Tracks company-owned devices to ensure only authorized hardware can access resources.

Device Registration Services - Adds devices to the inventory through self-registration or bulk administrative uploads.

Mutual TLS Authentication - Enforces secure resource access by requiring mutual identity verification via TLS and hardware-bound certificates.

Hardware Key Binding - Restricts access by binding cryptographic keys directly to device silicon to prevent credential exfiltration.

Identity Issuance - Assigns unique cryptographic identities to non-human entities to secure their access.

Identity-Based SSH Access - Replaces static SSH keys with short-lived certificates tied to identity providers for secure remote shell access.

Identity Federation Providers - Integrates with external identity providers to authorize certificate requests using OIDC, JWK, or cloud tokens.

Identity Provider Integrations - Integrates with authorization providers to handle user authentication and single sign-on flows.

Intermediate Certificate Authorities - Operates online intermediate authorities to delegate signing power and minimize the exposure of root keys.

Machine Identity - Assigns and rotates cryptographic identities for non-human workloads to secure access without static secrets.

Enrollment Management - Invites specific users to join a team for manual device enrollment and approval.

Automated Certificate Management - Automates the generation and renewal of both TLS and SSH certificates for users, devices, and workloads.

OIDC Identity Integrations - Integrates OpenID Connect to map identity provider tokens to certificate issuance and network access policies.

PKI Automation - Provides automated provisioning of authorities and provisioners to handle the digital certificate lifecycle.

Policy Enforcement Engines - Validates requested certificate subjects and names against defined security and compliance rules before signing.

Certificate Trust Managers - Automates the installation of root certificates into system trust stores to establish a trusted chain.

Certificate Revocation - Invalidates active certificates to prevent their use before the scheduled expiration date.

Host Certificates - Issues certificates that identify hosts to validate authenticity and replace static host keys.

SSH Key Management - Replaces static SSH keys with short-lived certificates for users and hosts to eliminate manual key updates.

Provisioning Logic Plugins - Decouples identity verification from certificate signing by using interchangeable logic for different enrollment protocols.

Command-Line Toolsets - Provides a dedicated command-line toolset for operating PKI and certificate issuance.

Kubernetes Deployments - Handles the issuance and lifecycle management of certificates within Kubernetes clusters.

Hardware Security Module Integrations - Integrates with hardware security modules and cloud KMS to provide secure, hardware-backed signing operations for keys.

ACME Implementations - Provides an ACMEv2 compliant server for automated HTTPS certificate issuance and renewal.

Certificate Field Templates - Defines custom subject alternative names and restrictions using conditional templates.

Certificate Installers - Automates the installation of host certificates during system startup via scripts.

SSHPOP Management - Renews or revokes host certificates by authenticating with the existing certificate via SSHPOP.

Certificate Template Engines - Uses conditional logic and defined fields to dynamically generate certificates with custom extensions and names.

Certificate Template Logic - Configures certificates with custom extensions and conditional logic to meet specific requirements.

Cloud Authentication Integrations - Verifies workload identity using cloud-provider instance documents to authorize certificate issuance.

Certificate Injection - Delivers TLS certificates into containers to secure inter-service communication without requiring manual configuration.

ACME Validation Strategies - Verifies control over hostnames or devices using standard HTTP, DNS, or hardware attestation challenges.

User-to-Device Binding - Ties user logins and certificates to approved physical machines to ensure only authorized hardware is used.

Revocation List Management - Maintains comprehensive lists of revoked certificates to ensure compromised keys are no longer trusted.

Device-Bound Restrictions - Ensures sensitive data is only accessible from trusted, company-managed devices using hardware-backed restrictions.

Service Account Authenticators - Authenticates certificate requests using Kubernetes service account tokens within a cluster.

Certificate Issuance Auditing - Records detailed logs of API requests to track and audit certificate lifecycle events.

Multi-Protocol Enrollment - Verifies identities using multiple protocols including ACME, SCEP, and OpenID before issuing certificates.

SSO Device Enrollment - Allows users to self-enroll devices into the company inventory using their single sign-on identity.

MDM Certificate Deployment - Pushes client certificates to managed devices using dynamic enrollment protocols via MDM.

Mutual TLS Implementations - Implements mutual TLS to encrypt and authenticate communication between services and devices across distributed infrastructure.

Registration Authorities - Acts as a front-end interface for certificate requests while delegating actual signing to an external authority.

Resource Access Control - Defines access configurations to regulate how network resources like Wi-Fi and VPNs are accessed.

SCEP Implementations - Signs and renews certificates using the SCEP protocol for network equipment and mobile devices.

SCEP Implementations - Implements a SCEP server to sign and renew certificates for network equipment and mobile device management.

External Trust Bootstrapping - Establishes trust by creating subordinate authorities to issue leaf certificates from an existing root.

Kubernetes Orchestration - Streamlines the issuance and renewal of certificates specifically for Kubernetes clusters to ensure secure service communication.

Token Authentication - Authenticates certificate requests using short-lived JWK tokens to enable programmatic issuance.

Cheat Sheets - Listed in the “Cheat Sheets” section of the The Book Of Secret Knowledge awesome list.

Identity Management - Private certificate authority for automated certificate management.

Identity Tools - Private certificate authority for automated certificate management.

smallstepcertificates

Features

Star history