Smallstep's open-source PKI toolchain consists of two primary components: step-ca and step-cli. **step-ca** is a private certificate authority (CA) server supporting both X.509 and SSH certificates. It provides the infrastructure and automation workflows to operate an internal CA, enabling automated certificate issuance and renewal for workloads across cloud and on-premises environments. Certificate enrollment is supported via ACME, OIDC, one-time tokens, and cloud APIs. Renewal automation is achieved through systemd timers, daemon mode, cron jobs, and CI/CD pipelines. The deployment model is a two-tiered X.509 PKI with one offline root CA and one intermediate CA that issues end-entity certificates with passive revocation. **step-cli** is a command-line tool that serves as the interface for interacting with step-ca and Smallstep's broader toolchain. It supports a range of cryptographic operations including X.509 certificate creation and inspection, SSH certificate management, JWT and OAuth token handling, and OIDC integration. It is cross-platform, supporting macOS, Windows, and Linux. Known limitations of the open-source toolchain include: single intermediate CA issuance only, no support for single-tier PKI, authority-wide issuance policies, limited active revocation options (CRL/OCSP), no Certificate Transparency log integration, no ACME External Account Binding (EAB), no certificate issuance history or metrics, and limited device attestation options. A commercial upgrade path exists via Step CA Pro, which adds device identity, advanced compliance features, and cloud-based management.