You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: platform/smallstep-agent.mdx
+10-5Lines changed: 10 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
updated_at: October 01, 2025
2
+
updated_at: October 20, 2025
3
3
title: Smallstep Agent for Linux
4
4
html_title: Smallstep Agent for Device Management Guide
5
5
description: Deploy and configure Smallstep Agent on Linux. Automated device identity management and certificate renewal for enterprise Linux fleets.
@@ -236,11 +236,15 @@ If you get any errors, check the agent’s status:
236
236
sudo systemctl status step-agent.service
237
237
```
238
238
239
-
## **PKCS#11 Support**
239
+
### OpenSSL and PKCS#11 Support
240
240
241
-
The Smallstep agent provides a PKCS#11 server that can be used for a variety of integration use cases, such as NetworkManager and `wpa_supplicant` connections or web browser certificates. The PKCS#11 server is exposed as a UNIX socket at `$XDG_RUNTIME_DIR/step-agent/step-agent-pkcs11.sock`.
241
+
The Smallstep agent stores the certificate on the filesystem alongside a TPM TSS2-formatted file, which is a reference to a TPM-bound key. So, any software that integrates with OpenSSL's `tpm2-openssl` provider, or with the underlying `libtpm2-tss`, can use the TPM-bound key for TLS handshakes or other purposes.
242
242
243
-
### Example usage: Google Chrome
243
+
Because PKCS#11 is a common integration point, the Smallstep agent also provides a PKCS#11 server
244
+
for use with software like NetworkManager, `wpa_supplicant`, or web browsers.
245
+
The PKCS#11 server is exposed as a UNIX socket at `$XDG_RUNTIME_DIR/step-agent/step-agent-pkcs11.sock`.
246
+
247
+
#### Example usage: Google Chrome
244
248
245
249
For this example, we’re using Ubuntu 24.04. The location of `p11-kit-client.so` may vary.
246
250
@@ -260,7 +264,7 @@ In Chrome, you should now have access to certificates managed by Smallstep.
260
264
261
265
For regular usage, add `P11_KIT_SERVER_ADDRESS` to your environment more permanently. For example, you might add `P11_KIT_SERVER_ADDRESS=unix:path=$XDG_RUNTIME_DIR/step-agent/step-agent-pkcs11.sock` to your global `/etc/environment` file.
262
266
263
-
### Troubleshooting
267
+
#### Troubleshooting
264
268
265
269
The agent produces a log file or journal entries in systemd, depending on how it is installed and run.
0 commit comments