⚠️ Custom provisioners can be configured for Certificate Manager. Create a support ticket or modify the default SSH Professional provisioners.

Some of the more popular workflows provisioners enable include:

  • Passwords: in its simplest form, the JWK provisioner can be used to get a certificate using a password. We'll see an example of this below.
  • One-time tokens: the JWK provisioner also supports one-time tokens using [step ca token](<https://smallstep.com/docs/step-cli/reference/ca/token>), which can be generated by orchestration or configuration management and passed to a container or host to obtain a certificate.
  • ACME: the ACME provisioner implements the ACME standard created by Let's Encrypt. It can be used to automatically get a certificate for a domain name or IP address. A rich client ecosystem and built-in support in many tools makes ACME easy to integrate. See the ACME documentation to learn more.
  • Single Sign-on: The OIDC provisioner uses OAuth and OpenID Connect (OIDC) to get a certificate using single sign-on via Google, Okta, Azure AD, or any other compatible identity provider. See the OIDC documentationto learn more. There are two common scenarios where this is useful:
    1. Authenticating users (engineers, operators, etc.) who need a certificate for code signing or to authenticate to databases, services, or other infrastructure using mutual TLS.
    2. Self-serve / semi-automated workflows for administrators to obtain certificates for workloads, devices, and other infrastructure, where automation is not possible.
  • Cloud VMs: the IID provisioner can be used to get certificates to your VMs running on AWS, GCP, or Azure.
  • Kubernetes:cert-manager is a popular ACME client for Kubernetes. It creates certificate secret resources that can be used by containers and ingresses. [step-issuer](<https://github.com/smallstep/step-issuer>) lets you connect cert-manager to an issuing authority.autocert lets you use pod annotations to automatically inject certificates into containers using volume mounts.The k8ssa provisioner lets you get certificates using Kubernetes service accounts.
  • Devices: The X5C and SSHPOP provisioners let you get a certificate using an existing x509 or SSH certificate issued from another authority. This can be used by devices to exchange long-lived birth certificates issued at manufacture time for short-lived workload certificates and for other derived credential workflows where a certificate from a canonical CA is used to automatically obtain certificates from one or more special-purpose CA(s).

For more-detailed information about how each provisioner type works, please check out our open source provisioner documentation.