Smallstep VPN is a certificate-based VPN authentication solution that replaces traditional password, token, and pre-shared key authentication with hardware-bound, short-lived certificates. Certificates are tied to hardware-secured keys (TPM or Secure Enclave) and issued only after cryptographic device attestation via ACME Device Attestation (ACME DA), ensuring only verified devices gain VPN access. Enrollment is handled through the Smallstep agent, which manages certificate provisioning and lifecycle (issuance, renewal, revocation) automatically in the background without end-user interaction. For environments without the agent, Dynamic SCEP via MDM is supported as an alternative to legacy static SCEP payloads. The solution integrates with MDM platforms to push VPN configurations and certificates across macOS, Windows, and Linux devices. Authorized devices connect to VPN automatically using zero-touch deployment — no manual credential entry or profile downloads are required from users. Smallstep VPN supports multiple VPN protocols including IKEv2/IPSec, SSL/TLS, and RADIUS/EAP-TLS, as well as open-source VPN servers (OpenVPN, StrongSwan) and commercial VPN platforms. It functions as a replacement for Active Directory Certificate Services (AD CS) for certificate issuance. The product is positioned for use cases requiring Zero Trust Network Access (ZTNA) to internal systems, AI inference endpoints, and MCP-exposed services.