⚠️ Custom provisioners can be configured for Certificate Manager. Create a support ticket or modify the default SSH Professional provisioners.
Some of the more popular workflows provisioners enable include:
- Passwords: in its simplest form, the
JWKprovisioner can be used to get a certificate using a password. We'll see an example of this below. - One-time tokens: the
JWKprovisioner also supports one-time tokens using[step ca token](<https://smallstep.com/docs/step-cli/reference/ca/token>), which can be generated by orchestration or configuration management and passed to a container or host to obtain a certificate. - ACME: the
ACMEprovisioner implements the ACME standard created by Let's Encrypt. It can be used to automatically get a certificate for a domain name or IP address. A rich client ecosystem and built-in support in many tools makes ACME easy to integrate. See the ACME documentation to learn more. - Single Sign-on: The
OIDCprovisioner uses OAuth and OpenID Connect (OIDC) to get a certificate using single sign-on via Google, Okta, Azure AD, or any other compatible identity provider. See the OIDC documentationto learn more. There are two common scenarios where this is useful:- Authenticating users (engineers, operators, etc.) who need a certificate for code signing or to authenticate to databases, services, or other infrastructure using mutual TLS.
- Self-serve / semi-automated workflows for administrators to obtain certificates for workloads, devices, and other infrastructure, where automation is not possible.
- Cloud VMs: the
IIDprovisioner can be used to get certificates to your VMs running on AWS, GCP, or Azure. - Kubernetes:cert-manager is a popular ACME client for Kubernetes. It creates certificate secret resources that can be used by containers and ingresses.
[step-issuer](<https://github.com/smallstep/step-issuer>)lets you connectcert-managerto an issuing authority.autocert lets you use pod annotations to automatically inject certificates into containers using volume mounts.Thek8ssaprovisioner lets you get certificates using Kubernetes service accounts. - Devices: The
X5CandSSHPOPprovisioners let you get a certificate using an existing x509 or SSH certificate issued from another authority. This can be used by devices to exchange long-lived birth certificates issued at manufacture time for short-lived workload certificates and for other derived credential workflows where a certificate from a canonical CA is used to automatically obtain certificates from one or more special-purpose CA(s).
For more-detailed information about how each provisioner type works, please check out our open source provisioner documentation.