Start with Identity
PKI / Certificate Lifecycle

Smallstep

Founded 2016San Francisco, California, USAPrivateScore 4/5Evaluated 2026-06-19Website ↗

Capability scores

Methodology →
Authentication
3.0
SSO & Federation
2.0
Authorization
3.0
Lifecycle & Provisioning
4.0
MFA & Passwordless
2.0
Governance & Audit
4.5
Developer Experience
4.5
Deployment Flexibility
4.5
Pricing Transparency
3.5
Support & Ecosystem
3.5

Scored 0–5 against a published rubric. Independent analysis, no vendor sponsorship.

Overview

Smallstep (founded 2016, privately held) builds open-source and commercial tooling for automated private PKI, device identity, and short-lived certificates. Its open-source step-ca and step CLI are widely adopted by engineering teams rolling out mutual TLS and workload identity. In the PKI and certificate lifecycle category it sits at the developer-first, cloud-native end, focused on internal trust rather than public, browser-trusted certificates.

What it is good at

Developer experience and automation are the standout. step-ca is a lightweight private CA that supports ACME, short-lived certificates, and automated renewal, making mTLS between services and devices practical without manual cert handling. The tooling fits cloud-native and Kubernetes environments cleanly and treats certificates as ephemeral machine identity rather than long-lived artifacts to babysit. The open-source core lowers the barrier to adoption, and commercial tiers add managed hosting, device identity, and team features.

Where it falls short

Smallstep issues private trust, not public, browser-trusted certificates, so it does not replace a public CA for internet-facing TLS. It is also not a turnkey enterprise CLM with heavy governance, broad multi-CA discovery, and compliance reporting, which large regulated estates often require. The focus is depth in internal PKI and device identity rather than breadth across an enterprise certificate fleet.

Pricing

Open-source core (step-ca, step CLI) is free to self-operate. Managed and enterprise tiers are usage-based, adding hosting, device identity, and team management. Model managed versus self-hosted cost with the TCO calculator.

Best for, and who should look elsewhere

Choose Smallstep when engineering teams need automated internal PKI, short-lived certificates, and mTLS for services and devices. For public, browser-trusted certificates, use DigiCert, Sectigo, or GlobalSign; for enterprise multi-CA CLM and governance, Keyfactor or AppViewX.

Bottom line

A developer-friendly, automation-first choice for private PKI, device identity, and mTLS, best for cloud-native teams rather than public-trust or heavy-governance needs.

More PKI / Certificate Lifecycle vendors

All PKI / Certificate Lifecycle

By SWI Community Team · Last evaluated 2026-06-19

Independent, community-driven analysis. No vendor sponsorship. Compiled from public research and community input and verified on a best-effort basis, so details may be incomplete or out of date. Scores are opinions, not advice. Trademarks belong to their owners; mention does not imply affiliation or endorsement. See the full disclaimer, or send corrections to community@startwithidentity.com.