Smallstep Integration with TigerTrust
TigerTrust integrates with Smallstep step-ca for modern, zero-trust private PKI management.
Why Smallstep?
Smallstep provides modern PKI:
- Zero Trust: Short-lived certificates
- Multiple Provisioners: ACME, OIDC, JWK, and more
- SSH Certificates: X.509 and SSH from one CA
- Modern Design: Built for cloud-native
Integration Configuration
Configure Smallstep with:
- CA URL and root certificate
- Provisioner type (ACME, OIDC, JWK, etc.)
- Auto-renewal settings at percentage of lifetime
- Default and maximum certificate duration
Provisioner Support
| Provisioner | Description |
|---|---|
| ACME | Standard ACME protocol |
| OIDC | OAuth/OIDC identity federation |
| JWK | JSON Web Key authentication |
| X5C | X.509 certificate authentication |
| K8sSA | Kubernetes ServiceAccount tokens |
| SSHPOP | SSH Proof-of-Possession |
| Cloud | Cloud instance identity (AWS, GCP, Azure) |
Certificate Issuance
ACME Provisioner: Standard ACME protocol with DNS-01 challenges.
OIDC Provisioner: OAuth/OIDC-based issuance using identity providers like Google.
SSH Certificates
Smallstep SSH certificate support:
- Host certificates with principal configuration
- User certificates with claims-based principals
- Configurable certificate duration
Kubernetes Integration
cert-manager Issuer: Use Smallstep as a cert-manager StepClusterIssuer for native Kubernetes certificate management.
Short-Lived Certificates
Configure automated rotation:
- Default duration (e.g., 1 hour)
- Maximum duration (e.g., 24 hours)
- Auto-renewal at threshold (e.g., 66% of lifetime)
Getting Started
- Deploy step-ca: Self-hosted or Smallstep hosted
- Configure Provisioners: Set up ACME, OIDC, etc.
- Add Integration: Configure Smallstep in TigerTrust
- Enable Automation: Start certificate management
- Monitor: Track certificates and renewals
TigerTrust's Smallstep integration enables zero-trust infrastructure with modern PKI practices and comprehensive visibility.