30 open-source projects similar to smallstep/cli, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Cli alternative.
This project is a public key infrastructure management system designed to automate the issuance, renewal, and revocation of X.509, TLS, and SSH certificates. It functions as a machine identity provider and certificate authority, enabling the establishment of private PKI to secure inter-service communication and remote access. The system distinguishes itself through hardware-bound identity attestation, which ties cryptographic keys to physical device silicon or TPMs to prevent credential exfiltration. It supports a wide array of identity verification mechanisms, including OIDC, cloud-provider
This project is a toolkit for creating and managing X.509 certificate authorities, providing tools for the issuance, signing, and management of TLS certificates and private keys. It includes a command-line utility for generating certificate signing requests, bundling certificate chains, and parsing PEM or DER files. The system features an HTTP API server that allows for remote signing and verification of certificates using JSON requests and responses. This architecture supports automated certificate provisioning and includes a signing proxy to forward requests to remote backend services. The
This project is a Kubernetes controller that automates the issuance, renewal, and lifecycle management of TLS certificates. It functions as a native extension to the cluster API, using custom resource definitions and reconciliation loops to maintain the desired state of certificates and trust bundles across distributed services. By integrating directly with the cluster's admission control and secret storage systems, it ensures that cryptographic identities are consistently provisioned and available for application workloads. The project distinguishes itself through its extensive support for a
Certd is a self-hosted platform that automates the full lifecycle of SSL certificates using the ACME protocol. It handles certificate application, renewal, and deployment across multiple domains through a pipeline-driven workflow engine, with DNS challenge orchestration and multi-cloud deployment capabilities. The platform distinguishes itself through its configurable pipeline system, which allows users to build multi-step workflows that can pass outputs between tasks, execute custom scripts, and handle errors. It supports multi-tenant access control with role-based permissions, encrypted cre
Easy-RSA is a shell-based utility designed to automate the creation and management of a public key infrastructure. It functions as a simplified interface for OpenSSL, providing the tooling necessary to establish a root certificate authority and manage X.509 certificates. The project focuses on the lifecycle of digital identities, covering the issuance of certificates to verify entities and the maintenance of revocation lists to invalidate compromised credentials. It specifically provides the utilities required to generate the keys and certificates used to secure OpenVPN connections. The syst
Forge is a JavaScript cryptography library providing a comprehensive set of tools for symmetric and asymmetric encryption, hashing, and digital signatures. It includes a full Transport Layer Security implementation for establishing secure network connections and managing encrypted traffic. The project implements a wide array of public key infrastructure tools, including X.509 certificate management, the generation of certificate signing requests, and the validation of certificate chains. It provides a PKCS cryptographic toolkit for handling secure archives and signed messages, alongside suppo
This project provides a complete OpenVPN server deployment packaged as a Docker container, with an integrated EasyRSA certificate authority for automated public-key infrastructure management. It handles the full lifecycle of a VPN server, from initial PKI bootstrap and server configuration generation to client certificate issuance and revocation, all within a containerized environment. The server is configured entirely through Docker environment variables, eliminating the need for manual configuration file editing. It supports time-based one-time password (TOTP) authentication as a second fac
This project is the core management framework for a security appliance, providing the primary infrastructure for firewall management, network intrusion prevention, and high-availability networking. It serves as the centralized system for controlling network security policies, filtering traffic, and administering a security appliance dashboard. The system is distinguished by its high-availability capabilities, which include synchronizing configurations and connection state tables across redundant nodes to enable automatic hardware failover. It also features a modular plugin architecture for ex
Allinssl is a multi-platform certificate manager and ACME automator designed to handle the full lifecycle of security certificates. It provides a web-based management interface to orchestrate the issuance, renewal, and deployment of certificates across various servers and cloud environments. The system distinguishes itself through an orchestration engine that pushes certificates to diverse targets, including web application firewalls, server control panels, and remote hosts. It automates domain ownership verification using DNS challenges across multiple providers and employs an event-driven w
Dehydrated is a shell-script ACME client that automates the lifecycle of TLS certificates from certificate authorities like Let's Encrypt. It implements the ACME protocol entirely in POSIX shell script with no external dependencies beyond standard Unix tools, relying on OpenSSL for all cryptographic operations including key generation, signing, and certificate parsing. The tool manages account keys, certificates, and configuration as plain files on disk, maintaining certificate metadata and account status in simple text files without a database. It delegates domain validation challenges to us
Lego is an ACME certificate manager and lifecycle tool used to automate the request, renewal, and revocation of SSL and TLS certificates. It implements the ACME protocol to communicate with compliant certificate authorities and manages the full issuance process, including account registration and private key rollovers. The project distinguishes itself through extensive DNS automation, utilizing a provider-based abstraction to solve DNS-01 challenges across various third-party DNS providers. It supports advanced verification workflows such as CNAME-based challenge delegation, DNS zone discover
acme.sh is a shell-based certificate manager and ACME SSL certificate client. It automates the issuance, renewal, and installation of digital security certificates using a portable Unix shell script to remove dependencies on heavy runtime environments. The project specializes in automated domain ownership verification through a DNS challenge automator that integrates with provider APIs. It supports the generation of diverse certificate types, including wildcard certificates and issuance based on pre-existing certificate signing requests. The tool covers the full certificate lifecycle, includ
Automate SSL/TLS certificates on Windows with ease
acme-tiny is a minimal ACME client implemented as a single-file Python script that automates obtaining and renewing SSL/TLS certificates from a Certificate Authority using the Automated Certificate Management Environment (ACME) protocol. It relies on OpenSSL command-line tools for key generation and certificate signing request creation, and uses file-based HTTP validation to verify domain ownership by placing a token file on the web server. Designed for fully automated certificate lifecycle management, acme-tiny is intended to be executed periodically by a system scheduler like cron, checking
Certmagic is a Go library for automating the issuance and renewal of TLS certificates. It functions as an automatic HTTPS provisioner and ACME client that handles the full lifecycle of certificates to ensure secure connectivity without manual intervention. The library is distinguished by its support for on-demand TLS provisioning, which generates certificates dynamically during the TLS handshake based on the server name. It also provides automation for wildcard certificates through DNS challenge verification and integrates with the ZeroSSL API for certificate acquisition. The project covers
Infisical is a centralized secrets management platform designed to store, synchronize, and control access to sensitive credentials and configuration data across distributed development, staging, and production environments. It employs client-side encryption to ensure that secrets remain unreadable to the underlying storage infrastructure, while providing a hierarchical permission model to govern both user and machine access. The platform distinguishes itself through dynamic credential provisioning, which generates short-lived access tokens that are automatically revoked after use. It supports
Authlib is a comprehensive Python library for building and integrating OAuth 1.0, OAuth 2.0, and OpenID Connect clients and servers. It provides a unified set of tools to manage authentication and authorization flows, allowing applications to either act as a client connecting to external identity providers or as a provider issuing tokens and managing user identities. The project distinguishes itself through a full implementation of the JOSE standards, offering a suite of cryptographic tools for generating, signing, encrypting, and validating JSON Web Tokens, Signatures, Encryption, and Keys.
cert-manager is a Kubernetes TLS certificate manager and cluster add-on that automates the issuance and renewal of TLS certificates. It functions as a certificate lifecycle automator, managing certificates as native Kubernetes resources to secure internal and external network traffic. The project includes an ACME protocol client to automate certificate requests and validations from providers. It utilizes a controller to synchronize the desired state of certificates with responses from various certificate authorities. The system covers certificate provisioning from external issuers and vault
Boulder is a production-grade implementation of the ACME (Automated Certificate Management Environment) protocol, built around the same infrastructure that powers Let's Encrypt. It functions as a full certificate authority that automates the issuance, renewal, and revocation of TLS certificates, supporting multiple key algorithms including RSA, ECDSA, and experimental post-quantum ML-DSA keys. The project distinguishes itself through its multi-algorithm PKI hierarchy, which builds separate RSA and ECDSA root chains with cross-signing to support dual-algorithm trust paths. It includes a CRL-ba
This project is an automated SSL certificate manager and orchestrator for Nginx proxy configurations. It functions as an ACME protocol client that handles the request, issuance, and renewal of security certificates for web services running in containers. The system monitors Docker container lifecycle events to automatically provision certificates based on assigned hostnames. It automates the full certificate lifecycle, including domain ownership validation and the issuance of specialized wildcard or multi-domain certificates. The tool manages security through both HTTP and DNS challenge reso
This project is a command-line tool that automates the entire lifecycle of security certificates using standard domain validation protocols. It functions as a background service to manage the issuance, renewal, and installation of certificates, ensuring that encrypted web traffic remains active without requiring manual intervention. The tool distinguishes itself through extensive support for automated domain ownership verification, including the ability to issue wildcard certificates by programmatically interacting with external domain name system providers. It provides flexible validation op
This project is a Django library that enables web applications to authenticate users through third-party identity providers using standard protocols like OAuth and OpenID Connect. It functions as an integration layer that delegates authentication to external services, allowing users to sign in with existing accounts while maintaining a persistent link to their local application profile. The library distinguishes itself through a modular pipeline that executes a sequence of functions to validate and manage user records during the login process. It employs a strategy-based approach to encapsula
kops is a Kubernetes cluster provisioner and lifecycle manager designed to automate the creation, maintenance, and destruction of production-grade clusters on cloud infrastructure. It functions as a declarative infrastructure manager, synchronizing the live state of a cluster with versioned manifests stored in remote object storage to ensure idempotent operations. The project distinguishes itself by offering comprehensive automation for the entire cluster lifecycle, including high-availability control plane deployment, incremental rolling updates, and automated version upgrades. It also serve
Authlib is a comprehensive Python framework for implementing OAuth 1.0, OAuth 2.0, and OpenID Connect clients and servers. It provides a complete toolkit for identity management, spanning the development of authorization servers, resource servers, and client-side integrations. The library distinguishes itself through a full implementation of the JOSE specifications, including JSON Web Tokens, Encryption, Signatures, and Keys. It features specialized capabilities for non-interactive authentication via service account assertion frameworks and a compliance-correction layer designed to handle ide
This project is an OpenPGP cryptography library designed for encrypting, decrypting, and signing messages according to the OpenPGP standard for secure communication. It functions as an asymmetric encryption toolkit for securing data and managing digital identities through cryptographic operations. The library provides a cryptographic key manager to create and handle the public and private key pairs required for identity operations. It includes a digital signature implementation to ensure message authenticity and data integrity. The system covers a broad range of capabilities, including asymm
Nebula is a scalable, decentralized overlay networking tool designed to create secure, encrypted peer-to-peer connections between distributed hosts. By utilizing a certificate-based identity authority, it enables the construction of private communication fabrics across disparate physical infrastructures, such as multiple cloud providers or on-premises data centers, without requiring central authentication servers. The project distinguishes itself through a zero-trust architecture that enforces granular, policy-driven firewall filtering based on certificate-derived group memberships. It facili
This project is a Ruby wrapper for the Twitter API, providing a programmatic interface to interact with the platform's REST and streaming endpoints. It serves as an API client for managing social content, users, and account activity. The library includes specialized tools for real-time data streaming, allowing the acquisition of live public posts, account events, and user activity. It differentiates itself with advanced media handling, such as chunked uploading for large files, and integrated traffic management to monitor rate limits and detect streaming stalls. Broadly, the project covers c
Authboss is a modular authentication framework designed to manage user identity and account orchestration. It provides a comprehensive system for handling user registration, email verification, and the full lifecycle of user profiles. The framework distinguishes itself through a focused suite of security and identity tools, including multi-factor authentication via time-based passwords and SMS, and identity integration with external providers using OAuth1 and OAuth2 protocols. It also includes a dedicated account security manager that implements brute-force protection through credential-based
dnmp is a containerized web development environment that provisions a full LNMP stack consisting of Nginx, MySQL, PHP, and Redis. It serves as a management system for coordinating web server routing, language runtime versions, database administration, and SSL certificate provisioning within Docker containers. The project distinguishes itself through a comprehensive PHP runtime manager that allows for switching between multiple language versions and managing extensions in isolated environments. It includes an automated SSL certificate manager that uses webroot validation to provision and renew
This project is a curated collection of deployment files and configurations for hosting a wide variety of open-source services on a home server. It primarily utilizes Docker and Docker Compose to automate the orchestration, lifecycle management, and deployment of containerized applications. The repository provides a comprehensive suite for self-hosted infrastructure, covering network management tools, media streaming, and home automation. It includes specialized configurations for securing internal services via reverse proxies, WireGuard VPN tunnels, and automated SSL/TLS certificate manageme