Smallstep Certificate Manager Pricing

Learn how Smallstep's Certificate Manager billing and pricing works.

This document delves into the nuances of Smallstep Certificate Manager billing. We recommend that readers review the Certificate Manager technical details page.

Certificate Manager Billing

Smallstep Certificate Manager Billing is based on two factors: Authorities and Endpoints

  1. Authorities (monthly)
  2. Endpoints (monthly)

1. Metering for Deployed Certs

Billing is metered and starts when a certificate is issued for a new Endpoint. It ends when an Endpoint’s last certificate expires or is revoked.

Why not just bill per certificate?

Billing per certificate would penalize deployments that use short-lived certificates and automated renewal. Endpoint billing is designed to encourage this best practice.

Two Endpoint examples:

  • A single device with one 30-day certificate would be billed at the same rate as,
  • A single device with 60 one-day certificates is renewed every 12 hours.

Endpoint grouping is automatic and intuitive for most use cases:

  • For provisioners with renewal enabled: Certificates issued using step ca certificate (or any other method that uses the /sign API) create a new EndpointCertificates issued using step ca renew (or any other method that uses the /renew API) are associated with the existing Endpoint of the certificate that’s being renewed
  • For Provisioners with renewal disabled (commonplace with ACME and OIDC): Certificates with identical subjects (common name and SANs), ignoring order and capitalization, belong to the same Endpoint.

For billing purposes, there is a limit of three active certificates per Endpoint. Any active certificate over three is billed as an additional Endpoint.

To avoid being charged for multiple Endpoints, you can revoke unused certificates after renewed.

2. What type of Authority do you need

There are two types of authorities to choose from:

  • Dev Ops - This is normal use.
  • Advanced Authority- If you need any of the items listed below, they are priced with a per month per authority flat fee.
    • Active revocation of certificates
    • Integration of existing PKI (such as bringing your own Root certificate)
    • Per subdomain access control
    • Enterprise Private ACME server