step-ca, the open source private online certificate authority from Smallstep, preinstalled and running as a system service serving X.509 and ACME certificates over TLS. Each instance bootstraps its own unique certificate authority on first boot, so you can issue and automate internal TLS certificates for your services, devices and workloads within minutes of launch. Backed by 24/7 cloudimg support.
Real screenshots of this software running on the cloudimg image, taken while testing the deployment guide.
This is a repackaged open source software product wherein additional charges apply for cloudimg support services.
Overview
step-ca is an open source online certificate authority for secure, automated X.509 and SSH certificate management. It runs your own private PKI: an internal certificate authority that issues short-lived TLS certificates to your services, devices and workloads, with full support for the ACME protocol so any ACME client can request and renew certificates automatically. This image delivers step-ca fully installed and running as a system service, with a freshly bootstrapped certificate authority on every instance, so a private CA is serving certificates within minutes of launch.
Private Certificate Authority Service
The step-ca daemon installed from the official release packages and run by a hardened systemd service as a dedicated unprivileged user, started on boot and restarted on failure. The CA serves its X.509 and ACME API over TLS, and the matching step command line tool is installed for bootstrapping clients, inspecting certificates and issuing certificates from the provisioner. The CA configuration, root and intermediate certificates and the encrypted signing keys live on a dedicated data disk.
Unique CA Per Instance
On its first boot every instance generates its own random certificate authority key passwords and initialises a brand new certificate authority with its own root and intermediate certificates and freshly encrypted signing keys, unique to that instance. No certificate authority material is shared between instances and none ships in the image. The first boot writes the generated passwords and the root certificate fingerprint to a protected file for the operator, so you can bootstrap clients against your CA immediately.
ACME and X.509
A default ACME provisioner is configured so standard ACME clients can request and renew certificates against an internal directory endpoint, and a password protected JWK provisioner lets you issue certificates directly with the step tool. Issue short-lived leaf certificates for internal services, enable mutual TLS between workloads, and automate renewal so certificates rotate without manual intervention.
Configurable and Resizable
The certificate authority reads its configuration from a single JSON file under a dedicated data volume. Add and remove provisioners, adjust certificate lifetimes and templates, enable SSH certificates, and point ACME clients at the directory. The configuration, certificates and keys sit on an independently resizable, snapshottable EBS data volume kept off the operating system disk.
Ready To Use
Connect over SSH and the certificate authority is already running and healthy. Read the welcome notes for the generated passwords and the root fingerprint, bootstrap a client with the step tool, then request your first certificate. The CA serves its API over TLS on the standard HTTPS port.
cloudimg Support
24/7 technical support by email and chat. Help with PKI design, provisioner configuration, ACME automation, certificate templates and lifetimes, SSH certificates, client bootstrapping, renewal and upgrade planning.
Use Cases
An internal certificate authority issuing TLS certificates to your private services. An ACME server automating certificate renewal across your infrastructure. A mutual TLS backbone issuing short-lived workload identities. A device and IoT certificate authority for fleet enrolment.
All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.