This document delves into the nuances of Smallstep's Certificate Manager billing. We recommend that readers review the Certificate Manager technical details page and the pricing page for the latest pricing details.

Smallstep Certificate Manager Billing is based on three factors: Authorities, Endpoints, and the type of plan used.

  1. Authorities (monthly)
  2. Endpoints (monthly)
  3. Plan Type

1. Metering for Deployed Certs

Billing is metered and starts when a certificate is issued for a new Endpoint. It ends when an Endpoint’s last certificate expires or is revoked.

Billing per certificate would penalize deployments that use short-lived certificates and automated renewal. Endpoint billing is designed to encourage this best practice.

Two Endpoint examples:

  1. A single device with one 30-day certificate would be billed at the same rate as,
  2. A single device with 60 one-day certificates is renewed every 12 hours.

Endpoint grouping is automatic and intuitive for most use cases:

  • For provisioners with renewal enabled: Certificates issued using step ca certificate (or any other method that uses the /sign API) create a new EndpointCertificates issued using step ca renew (or any other method that uses the /renew API) are associated with the existing Endpoint of the certificate that’s being renewed
  • For Provisioners with renewal disabled (commonplace with ACME and OIDC): Certificates with identical subjects (common name and SANs), ignoring order and capitalization, belong to the same Endpoint.

For billing purposes, there is a limit of three active certificates per Endpoint. Any active certificate over three is billed as an additional Endpoint. To avoid being charged for multiple Endpoints, you can revoke unused certificates after they’ve been renewed.

2. What type of Authority do you need

There are two types of authorities to choose from:

  • Dev Ops - This is normal use. The first is free; each subsequent one is a monthly flat fee.
  • Advanced Authority- If you need any of the items listed below, they are priced with a per month per authority flat fee.
    • Active revocation
    • Integration of existing PKI
    • Per subdomain access control
    • Enterprise Private ACME server

Please look at the comparison chart on the Smallstep pricing page for complete product comparisons.