certificate lifecycle management

Automated CLM provides complete visibility and centralized certificate management across your networking and compute systems


automatic certificate enrollment protocol

The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between and their users' web servers, allowing the automated deployment of at very low cost. It was designed by the (ISRG) for their service.

Asymmetric keys

Separate keys used for encryption and decryption, eg. public/private keys.


authority administrator

Default provisioner created by Certificate Manager and linked to the creators smallstep login. You can use this provisioner to administer the CA, assign additional authority-admins, create RAs and to get certificates.


Basic Encoding Rules

The Basic Encoding Rules (BER) are a set of Abstract Syntax Notation One encoding rules that define a specific way in which information may be encoded in a binary form. It is used as the underlying mechanism for encoding messages.


Certificate Authority

A trusted entity that issues and revokes public key certificates.


Content-delivery network 

When using a CDN, you have two SSL connections. One connection is between the visitor and the CDN and the other between the CDN and the server. You can use two SSL certificates, one on the server and the other on the CDN, to segment access to your private keys.


CRL Distribution Point

When a browser wants to retrieve a CRL for a certificate, it retrieves it from a specified CRL Distribution Point (a CRL Distribution Point (CDP) is an X.509 v3 certificate extension). To put it in simple terms, a CRL distribution point is a shared location on the network that is used to store the CRL and certificates. It is also possible to have two distribution points, one pointing to the HTTP CRL location with the other pointing to the LDAP CRL location. Both distribution points HTTP and LDAP could be pointing to the same CRL.

Client Certificate

Digital ID

Client Certificates or Digital IDs are used to identify one user to another, a user to a machine, or a machine to another machine. One common example is emails, where the sender digitally signs the communication, and the recipient verifies the signature. Client certificates authenticate the sender and the recipient. Client certificates also take the form of two-factor authentication when the user needs to access a protected database or arrives at the gateway to a payment portal, where they’ll be expected to enter their passwords and be subjected to further verification.

Cloud PKI

Cloud/SAAS/Hosted Public Key Infrastructure

Cloud PKI is the modern alternative to its on-premise cousin. Here, the entire PKI is hosted on the provider’s servers, and PKI is supplied to clients on-demand. This way, the client receives all the benefits of a full-fledged public PKI, without having to deal with the hosting, maintenance, and physical management costs involved. There is also the assurance of 100% availability, since the back-end is handled exclusively by the providers. This allows for relatively easier scalability, since the cloud PKI provider handles installations, maintenance, security, and backups, and provides only the necessary PKI to the client on-demand.


Certificate Manager

Tool created by smallstep to assist with the creation and management of certificates. This includes creation of internal Certificate Authorities (CA), Registration Authorities (RA) and certificates with the appropriate lifespan and authorization 


certificate management protocol

A file format-based protocol for getting & updating X.509 certs from a CA. [] ACME, SCEP


Certificate Repository

An electronic, searchable storage facility for signed certificates with public keys that have been generated. It consists of important certificate information, such as certificate validity details, revocation lists, and root certificates. They are often equipped with LDAP (Lightweight Directory Access Protocol), an online directory service where entries are classified and indexed.


Certificate Revocation List

A Certification Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. A CRL essentially functions as a blacklist for certificates. A browser makes a GET request to an HTTPS enabled page, the CA receives the request, and then returns a list of all the revoked certificates. The browser then parses the CRL to ensure that the certificate of the requested site isn’t contained within it.

CS Cert

Code Signing Certificate

DV, OV, EV. Code Signing certificates allow you to encrypt software codes to ensure hackers cannot tamper with them. You want your files to have a CS certificate because all major operating systems warn users when they start downloading or installing unsigned software.


certificate signing requests

A certificate signing request (CSR) is one of the first steps towards getting your own SSL/TLS certificate. Generated on the same server you plan to install the certificate on, the CSR contains information (e.g. common name, organization, country) the Certificate Authority (CA) will use to create your certificate. It also contains the public key that will be included in your certificate and is signed with the corresponding private key. We’ll go into more details on the roles of these keys below. The CSR itself is usually created in a Base-64 based PEM format.


distinguished encoding rules

DER is a pretty simple type-length-value encoding. Distinguished Encoding Rules is one of ASN.1 encoding rules defined in ITU-T X.690, 2002, specification. ASN.1 encoding rules can be used to encode any data object into a binary file.

The basic encoding rule of DER is that a data value of all data types shall be encoded as four components in the following order:

• Identifier octets

• Length octets

• Contents octets

• End-of-contents octets


Distinguished Name

A unique name that identifies the user who requested the certificate. These were designed 30 years ago for a phone book. City and state don’t make much sense on the web.


Domain validated certificates

LEAST CHECKS. DV SSL certificates require the lowest level of validation. Once requested, CAs do not check the identity of a person or company running a website. They only verify that a site admin runs the URL, which is enough to register a domain


external account binding

External Account Bindings are used to associate your ACME account with an external account such as a CA custom database

. This is typically not needed for most cert-manager users unless you know it is explicitly needed. External Account Bindings require two fields on an ACME Issuer which represents your ACME account.


envelope formats



Extended validated certificates

MOST CHECKS The Extended Validation SSL certificate gives the same validation as both DV and OV, but it also proves that you have registered your website as an official business. When issuing EV SSL certificates, CAs do extensive background checks. They inspect domain ownership, legal existence, physical location(s), and more. 

FIPS Compliance

Federal Information Processing Standards Compliance

Created by the National Institute of Standards and Technology’s (NIST’s) Computer Security Division, FIPS established a and computer system standard that organizations must adhere to per the Federal Information Security Management Act of 2002 (FISMA). FISMA requires United States federal government agencies reduce information technology risk to an acceptable level at a reasonable cost.

To become FIPS compliant, a U.S. government agency or contractor’s computer systems must meet requirements outlined in the FIPS publications numbered 140, 180, 186, 197, 198, 199, 200, 201, and 202.

• FIPS 140 covers cryptographic module and testing requirements in both hardware and software.

• FIPS 180 specifies how organizations can be FIPS compliant when using secure hash algorithms for computing a condensed message.

• FIPS 186 is a group of algorithms for generating a digital signature.

• FIPS 197 is a standard that created the Advanced Encryption Standard, which is a publicly accessible cipher approved by the National Security Agency (NSA)

• FIPS 198 is about a mechanism for message authentication that utilizes cryptographic hash functions.

• FIPS 199 standardizes how federal agencies categorize and secure information and information systems the agency collects or maintains.

• FIPS 200 is a standard that helps federal agencies with through levels of based on risk levels.

• FIPS 201 specifies the standard for common identification for federal and contractors.

• FIPS 202 gives the specifications for the Secure Hash Algorithm-3 (SHA-3) family of four cryptographic hash functions and two extendable-output functions.


keyed-hash message authentication code /  hash-based message authentication code

In, an HMAC is a specific type of (MAC) involving a and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message.HMAC uses two passes of hash computation. The secret key is first used to derive two keys – inner and outer. The first pass of the algorithm produces an internal hash derived from the message and the inner key. The second pass produces the final HMAC code derived from the inner hash result and the outer key. Thus the algorithm provides better immunity against



hardware security module

A hardware security module (HSM) is a physical device that provides extra security for sensitive data. This type of device is used to provision cryptographic keys for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases.


json web token

JWT is an open standard used to share security information between two parties — a client and a server. Each JWT contains encoded JSON objects, including a set of claims. JWTs are signed using a cryptographic algorithm to ensure that the claims cannot be altered after the token is issued.


Kubernetes Service Account

A K8sSA provisioner allows a client to request a certificate from the server using a Kubernetes Service Account Token. As of the time when this provisioner was coded, the Kubernetes Service Account API for retrieving the token from a running instance was still in beta.


key derivation functions

Create derived keys.

A basic example is crypt(). This is a password-based KDF that returns an encrypted string from the password value and a salt. It’s a key strengthening function, because it can take a potentially weak key as input and return a key that’s difficult to brute force.

Key encryption and storage facilities

Private keys are valuable documents that can be misused if malicious actors gain access to it. Hence, they are stored in encrypted vaults with secured periodic access.


message authentication code

A MAC is a bit of data that’s used to verify which entity sent a message, and to ensure that a message hasn’t been modified. The basic idea is to feed a shared secret (a password) along with a message through a hash function. The hash output is a MAC. You send the MAC along with the message to some recipient.

Multi-Domain SSL certs

DV, OV, EV. A Multi-Domain certificate can protect multiple domains as well as subdomains. Depending on the CA, a Multi-Domain SSL certificate will allow you to secure up to 250 domains.

With a Multi-Domain SSL, the first domain is treated as the Base Domain. All others are regarded as SAN (subject alternative names) domains.

Multi-Domain Wildcard SSL certs

DV, OV. A Multi-Domain Wildcard SSL certificate combines features of Wildcard and Multi-Domain SSL certificates. A Multi-Domain Wildcard SSL certificate protects multiple fully qualified domains and an unlimited number of subdomains.

The initial investment is substantial. A Multi-Domain Wildcard SSL certificate is a good choice if you’re running multiple sites. It allows admins to manage a unified certification for all websites.


A service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified by a third party as having originated from a specific entity in possession of the private key of the claimed signatory. In a general information security context, assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.


Online Certificate Status Protocol

OCSP stands for Online Certificate Status Protocol and is used by Certificate Authorities to check the revocation status of an X. 509 digital certificate.


Object Identifiers

object identifiers (OIDs).An OID is like a URI, but more annoying. They’re (supposed to be) universally unique identifiers. Structurally, OIDs are a sequence of integers in a hierarchical namespace. You can use an OID to tag a bit of data with a type. A string is just a string, but if I tag a string with OID it’s no longer an ordinary string – it’s an X.509 common name. Another example OID StateOrProvinceName ST=CA.


OpenID Connect

OIDC is an open authentication protocol that profiles and extends OAuth 2.0 to add an identity layer. OIDC allows clients to confirm an end user's identity using authentication by an authorization server.

On-Prem PKI

On Premise Public Key Infrastructure

On-premise is the deployment method traditionally used by most established PKI providers. Here, the PKI is installed on the organization’s own servers – it is administered and governed by the organization’s internal PKI team, and the root certificate is kept in a highly secure location within this infrastructure. Many providers of external CAs exclusively provide on-premise PKI, as it is considered to be more secure than the alternative (hosting a PKI elsewhere) – this is primarily because on-prem setups retain full control over the private keys and certificate issuance process. However, on-premise offerings have certain shortcomings, which come in the form of increased complexity and associated costs, including a need to procure:

• Highly skilled PKI administrators/personnel

• Training programs

• Secure physical facilities

• Robust PKI management software

• Disaster recovery mechanisms and backups

• Network infrastructure

A characteristic that PKI deployments absolutely must possess is scalability i.e the ability to grow and change in an agile fashion, without requiring a complete overhaul of the system to do so. This is a challenge many on-premise PKI providers struggle with, as all of the infrastructure is on the client’s servers, and hence, requires significant physical efforts to redesign or upgrade.


Organization validated certificates

MORE CHECKS. An Organization Validated SSL certificate proves that you own the website domain and an organization in a specific country and city. A website must go through several background checks to receive an OV SSL.


Privacy Enhanced Email

So most certificates are packaged up in files (which stands for Privacy Enhanced EMail, another weird historical vestige). If you’ve ever worked with, PEM is similar: a base64 encoded payload sandwiched between a header and a footer. The PEM header has a label that’s supposed to describe the payload. Shockingly, this simple job is mostly botched and PEM labels are often inconsistent between tools ( attempts to standardize the use of PEM in this context, but it’s not complete and not always followed). Without further ado, here’s what a PEM-encoded X.509 v3 certificate looks like:













PEM-encoded certificates will usually carry a .pem, .crt, or .cer extension. A raw certificate encoded using DER will usually carry a .der extension. Again, there’s not much consistency here, so your mileage may vary.


Public Key Cryptography Standards

The envelope formats you’re likely to encounter are part of a suite of standards called PKCS (Public Key Cryptography Standards) published by RSA labs (actually the story is

, but whatever). The first is

, rebranded

 (CMS) by IETF, which can contain one or more certificates (encoding a full certificate chain, described shortly). PKCS#7 is commonly used by Java. Common extensions are .p7b

 and .p7c

. The other common envelope format is

 which can contain a certificate chain (like PKCS#7) along with an (encrypted) private key. PKCS#12 is commonly used by Microsoft products. Common extensions are .pfx

 and .p12

. Again, the PKCS#7 and PKCS#12 envelopes also use ASN.1. That means both can be encoded as raw DER or BER or PEM. That said, in my experience they’re almost always raw DER.


Public Key Infrastructure

The framework and services that provide for the generation, production, distribution, control, accounting, and destruction of public key certificates. Components include the personnel, policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, recover, and revoke public key certificates. 

Component Examples:

• A certificate authority (CA) that stores, issues and signs the digital certificates;

• A registration authority (RA), a service that sits in front of a CA and authenticates certificate signing requests;

• A validation authority (VA) — typically, this is a service that verifies certificate validity are used to test whether a certificate has been revoked before it expires.

• A central directory—i.e., a secure location in which keys are stored and indexed

• A certificate management system managing things like the access to stored certificates or the delivery of the certificates to be issued;

• A certificate policy stating the PKI's requirements

concerning its procedures. Its purpose is to allow outsiders to analyze the PKI's trustworthiness.

private key

Private keys may carry a .prv, .key, or .pem extension.

public key

Public keys will usually have a .pubor .pem extension.


Registration Authority

An entity authorized by the certification authority system (CAS) to collect, verify, and submit information provided by potential subscribers, which is to be entered into public key certificates. The term RA refers to hardware, software, and individuals that collectively perform this function.


Subject Alternative Name

Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field.


simple certificate enrollment platform

• [] is still very popular in the enterprise even though it's an ancient protocol.

     Often used in network equipment, very popular with Cisco hardware

     Also used for MDM by Microsoft and Apple

     Runs over HTTP using POSTed binary data or base64-encoded GET parameters. Uses CMS (PKCS#7), CSR (PKCS#10), RSA, DES3/AES, SHA1/2


A signature can be verified using a public key but can only be generated with a corresponding private key. Thus, a recipient that only has a public key can verify signatures, but can’t generate them. This gives you tighter control over who can sign stuff. If only one entity knows the private key you get a property called non-repudiation: the private key holder can’t deny (repudiate) the fact that they signed some data.

Single-Domain SSL certs

DV, OV, EV. A Single-Domain SSL certificate secures one domain and all its pages. Single-Domain SSL covers both www and non-www versions of the domain.

It is the cheapest type of SSL. It is enough to protect data coming in and out of a website. Buying this type of SSL certificate for a domain will not apply to its subdomains.

Symmetric key

A key that's shared by multiple parties

TLS/SSL Certificate

Transport Layer Security/Secure Socket Layer Certificates

TLS/SSL (Transport Layer Security/Secure Socket Layer) Certificates are installed on the server. The purpose of these certificates is to ensure that all communication between the client and the server is private and encrypted. The server could be a web server, app server, mail server, LDAP server, or any other type of server that requires authentication to send or receive encrypted information. The address of a website with a TLS/SSL certificate will start with “https://” instead of “http://”, where the “s” stands for “secure.”


trusted platform module

A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:

• Generate, store, and limit the use of cryptographic keys.

• Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into it.

• Help ensure platform integrity by taking and storing security measurements.

The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.

TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.


Unified Communications SSL certs

DV, OV. UCC SSLs are issued for environments that utilize Microsoft Exchange and Office Communications.

United Communications SSL allows users to protect multiple fully qualified domains under a single certificate. Like with Multi-Domain SSL, the first domain is the Base Domain, while others rely on SAN extensions instead of different IP addresses.

Depending on the CA, UCC can enable you to secure anywhere between 25 to 250 domains.


validation authority

typically, this is a service that verifies certificate validity — Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP), for example, are used to test whether a certificate has been revoked before it expires.

Wildcard SSL certs

DV, OV. Wildcard SSL certificates protect a single domain and an unlimited number of subdomains. For example, if you buy a certificate for, subdomains such as or are also secured. Wildcard SSL certificates are great if you plan on adding subdomains. It allows you to use the certificate for any subdomain. As an added benefit, it is far easier to manage a Wildcard certificate than single certificates for each of your subdomains.

x.509 cert

digital cert, PKI cert

The entire exchange is facilitated by x.509 certificates (also called digital certificates or PKI certificates), since only those public keys that have been signed by a Certificate Authority and bound to a certificate are considered acceptable for use online. 

A typical certificate consists of the following information:

• A Distinguished Name (DN) which is simply a unique name that identifies the user who requested the certificate.

• The date of issuance and the date of expiry, so as to estimate the certificate’s lifetime.

• The public key.

• The purpose of the certificate, which could range from signing code to encrypting communication channels.

• A digital signature, which is the CA’s guarantee that the certificate is valid and belongs to the user in question.

Most frequently refers to PKIX variant and used on the web.