Smallstep

Smallstep develops device identity and certificate management software that replaces static credentials with hardware-backed, short-lived certificates and cryptographic attestation. Its platform is built to prove what device, workload, person, or agent is acting and to use that identity to protect access to sensitive enterprise resources across cloud, on-premises, and hybrid environments.

Smallstep combines commercial software with open source PKI tooling. Its offerings span device identity, managed and self-managed certificate authorities, SSH certificate workflows, and deployment models that support SaaS, hybrid, customer-managed, and air-gapped environments. The platform is positioned for organizations that want stronger cryptographic controls for enterprise devices, internal services, cloud workloads, developers, and AI-driven systems.

Offerings, Capabilities, and Integrations

Smallstep focuses on hardware-rooted identity, automated certificate issuance and renewal, and policy-based access controls for devices, people, and workloads. Its capabilities cover X.509 and SSH certificates, mTLS, certificate-based network access, device inventory synchronization, and enrollment methods that use cryptographic attestation or cloud instance identity rather than shared secrets.

The platform is designed to fit into existing enterprise stacks instead of replacing them. Smallstep integrates with MDM and endpoint management systems, identity providers, cloud platforms, Kubernetes environments, and developer tooling. It also exposes API and infrastructure-as-code automation options, enabling teams to manage enrollment, certificate operations, and access workflows programmatically.

Products and Services

• Device Identity: Smallstep’s flagship platform capability for binding access to verified, company-owned or company-managed devices using hardware-backed, short-lived certificates and cryptographic attestation.
• Smallstep Agent: Endpoint software for macOS, Windows, and Linux that runs as a background service to automate certificate management, device identity workflows, remote configuration, and related endpoint operations.
• Smallstep Certificate Manager: Commercial hosted certificate authority software for issuing and managing private X.509 TLS certificates for internal services, infrastructure, people, and devices.
• Smallstep SSH: SSH certificate management service that replaces static SSH keys with short-lived certificates and ties access to existing identity providers and policy controls.
• Step CA Pro: Enterprise-grade commercial deployment of the Smallstep CA for mission-critical environments, adding advanced features, compliance options, support, and cloud-based management while keeping CA control with the customer.
• Smallstep Run Anywhere: Customer-managed deployment option for running the full Smallstep platform on bespoke infrastructure, including Kubernetes, virtual machines, on-premises environments, and air-gapped settings.
• step-ca: Open source online certificate authority for automated X.509 and SSH certificate management, including ACME-based and other PKI workflows.
• step-cli: Open source command-line cryptography and PKI toolkit used as a client interface for Smallstep Certificate Manager and step-ca, and as a standalone utility for common certificate and crypto operations.
• Smallstep Registration Authorities: Registration authority software for extending existing PKI environments with automated certificate enrollment and renewal while leaving certificate signing keys in the customer’s existing PKI.

Target Customers

Smallstep targets enterprise IT, security, platform engineering, and DevOps teams that need stronger control over corporate devices, internal applications, cloud workloads, SSH access, and certificate lifecycles. Its messaging is especially aligned to organizations protecting sensitive resources such as Wi-Fi, VPNs, source code, SaaS applications, internal APIs, and regulated data stores.

It is also a fit for companies with established identity, MDM, and cloud investments that want to add cryptographic device and workload identity without replacing those systems. Customers with hybrid, on-premises, or air-gapped requirements are a clear focus, as are teams standardizing secure access for developers, managed endpoints, Kubernetes environments, and emerging AI or MCP-based workflows.

Cloud Integrations and Marketplace

• Google Cloud Marketplace: Smallstep has verified presence on Google Cloud Marketplace through its ACME Registration Authority offering for Google Certificate Authority Service.
• Google Cloud Platform: Smallstep supports Google Cloud environments through cloud workload identity, Google Workspace-related integrations, and certificate automation workflows tied to Google infrastructure.
• AWS: Smallstep provides documented integrations for AWS workloads and services, including support for AWS instance identity-based enrollment and related AWS service connections.
• Microsoft Azure: Smallstep integrates with Microsoft environments including Azure resources, Azure Key Vault-related workflows, Intune-managed devices, and Windows deployments.

Key People

• Mike Malone: Founder and CEO
• Geoff Leonard: Chief Revenue Officer
• Josh Drake: Chief Technology Officer
• Ted Malone: VP Strategy & GTM
• Max Furman: VP of Engineering
• Cass Fultz: Head of Operations
• Alan Thomas: Software Engineering Manager

Key Facts

• Headquarters: San Francisco, California, United States
• Employees: 27
• Annual Revenue: Undisclosed
• Parent Company: None
• Subsidiaries: None
• Publicly Listed: Not publicly listed