Overview
step-ca service running
step-ca version reporting the installed 0.30.2 release and systemctl status showing the step-ca.service certificate-authority daemon active and serving on port 443.
step-ca service running
Certificate authority health
Issuing a certificate
This is a repackaged open source software product wherein additional charges apply for cloudimg support services.
Overview step-ca is an open source online certificate authority for secure, automated X.509 and SSH certificate management. It runs your own private PKI: an internal certificate authority that issues short-lived TLS certificates to your services, devices and workloads, with full support for the ACME protocol so any ACME client can request and renew certificates automatically. This image delivers step-ca fully installed and running as a system service, with a freshly bootstrapped certificate authority on every instance, so a private CA is serving certificates within minutes of launch.
Private Certificate Authority Service The step-ca daemon installed from the official release packages and run by a hardened systemd service as a dedicated unprivileged user, started on boot and restarted on failure. The CA serves its X.509 and ACME API over TLS, and the matching step command line tool is installed for bootstrapping clients, inspecting certificates and issuing certificates from the provisioner. The CA configuration, root and intermediate certificates and the encrypted signing keys live on a dedicated data disk.
Unique CA Per Instance On its first boot every instance generates its own random certificate authority key passwords and initialises a brand new certificate authority with its own root and intermediate certificates and freshly encrypted signing keys, unique to that instance. No certificate authority material is shared between instances and none ships in the image. The first boot writes the generated passwords and the root certificate fingerprint to a protected file for the operator, so you can bootstrap clients against your CA immediately.
ACME and X.509 A default ACME provisioner is configured so standard ACME clients can request and renew certificates against an internal directory endpoint, and a password protected JWK provisioner lets you issue certificates directly with the step tool. Issue short-lived leaf certificates for internal services, enable mutual TLS between workloads, and automate renewal so certificates rotate without manual intervention.
Configurable and Resizable The certificate authority reads its configuration from a single JSON file under a dedicated data volume. Add and remove provisioners, adjust certificate lifetimes and templates, enable SSH certificates, and point ACME clients at the directory. The configuration, certificates and keys sit on an independently resizable, snapshottable EBS data volume kept off the operating system disk.
Ready To Use Connect over SSH and the certificate authority is already running and healthy. Read the welcome notes for the generated passwords and the root fingerprint, bootstrap a client with the step tool, then request your first certificate. The CA serves its API over TLS on the standard HTTPS port.
cloudimg Support 24/7 technical support by email and chat. Help with PKI design, provisioner configuration, ACME automation, certificate templates and lifetimes, SSH certificates, client bootstrapping, renewal and upgrade planning.
Use Cases An internal certificate authority issuing TLS certificates to your private services. An ACME server automating certificate renewal across your infrastructure. A mutual TLS backbone issuing short-lived workload identities. A device and IoT certificate authority for fleet enrolment.
All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
Highlights
- step-ca, the Apache-2.0 open source private online certificate authority from Smallstep, preinstalled and running as a systemd service serving X.509 and ACME certificates over TLS, with the matching step command line tool, no manual setup required
- Every instance bootstraps its own unique certificate authority on first boot with freshly generated key passwords, its own root and intermediate certificates and encrypted signing keys, so no CA material is shared between instances or ships in the image
- Issue short-lived internal TLS certificates and automate renewal with the built-in ACME provisioner, with the configuration, certificates and keys on a dedicated, independently resizable data disk, and 24/7 technical support from cloudimg
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Free trial
- ...
Dimension | Description | Cost/hour |
|---|---|---|
t3.small Recommended | t3.small | $0.04 |
t2.micro | t2.micro instance type | $0.04 |
t3.micro | t3.micro instance type | $0.04 |
c5a.12xlarge | c5a.12xlarge instance type | $0.24 |
c5a.16xlarge | c5a.16xlarge instance type | $0.24 |
c5a.24xlarge | c5a.24xlarge instance type | $0.24 |
c5a.2xlarge | c5a.2xlarge instance type | $0.24 |
c5a.4xlarge | c5a.4xlarge instance type | $0.24 |
c5a.8xlarge | c5a.8xlarge instance type | $0.24 |
c5a.large | c5a.large instance type | $0.08 |
Vendor refund policy
Refunds available on request.
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Initial release of step-ca 0.30.2 (with the step CLI 0.30.6), the open source private online certificate authority, as a ready-to-use service that bootstraps a unique certificate authority on first boot.
Additional details
Usage instructions
Connect via SSH on port 22 as the default login user for your operating system variant (the user guide lists it per variant). This is a headless certificate-authority service: there is no web interface. Read the welcome notes, including the per-instance CA and provisioner passwords and the root certificate fingerprint, with: sudo cat /root/step-ca-credentials.txt. Confirm the CA daemon is running with: systemctl status step-ca. The CA serves its X.509 and ACME API over TLS on port 443; check its health with: curl -k https://127.0.0.1/health (returns {"status":"ok"}). The CA configuration, certificates and encrypted keys live on a dedicated data disk mounted at /etc/step-ca (STEPPATH); the main config is /etc/step-ca/config/ca.json. To issue certificates, bootstrap a client with the step tool against the root fingerprint shown in the welcome notes, then use step ca certificate, or point any ACME client at the CA's ACME directory. Open port 443 to the clients that need to reach the CA in the instance security group.
Resources
Vendor resources
Support
Vendor support
cloudimg provides 24/7 technical support for this product by email and live chat. Our engineers help with deployment, configuration, updates, performance tuning and troubleshooting; critical issues receive a one hour average response. Contact support@cloudimg.co.uk .
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
