diff --git a/README.mdx b/README.mdx
index d62cb828..aad486ab 100644
--- a/README.mdx
+++ b/README.mdx
@@ -4,6 +4,13 @@ disableSidebar: true
 
 <h1 className="text-center text-2xl md:text-3xl text-blue-900 mb-6">Documentation</h1>
 <div className="grid grid-cols-1 sm:grid-cols-2 md:grid-cols-3 gap-spacing-6">
+  <IndexCard
+    className="text-blue-500"
+    iconSrc="https://smallstep-cms-images.s3.us-east-2.amazonaws.com/icon_platforms_2.svg"
+    title="Platform"
+    description="Quickly and reliably connect devices, workloads, and people using end-to-end encryption."
+    href="/docs/platform/"
+  />
   <IndexCard
     className="text-blue-500"
     iconSrc="https://smallstep-cms-images.s3.us-east-2.amazonaws.com/icon_ssh_1_70b1ab2d27.svg"
@@ -53,11 +60,4 @@ disableSidebar: true
     description="Deploy the `step` toolchain across popular deployment scenarios. Learn by doing."
     href="/docs/tutorials/"
   />
-  <IndexCard
-    className="text-blue-900"
-    iconSrc="https://smallstep-cms-images.s3.us-east-2.amazonaws.com/icon_platforms_1_ee9b09a287.svg"
-    title="Platform"
-    description="Quickly and reliably connect devices, workloads, and people using end-to-end encryption."
-    href="/docs/platform/"
-  />
 </div>
diff --git a/graphics/tpm-attestation.png b/graphics/tpm-attestation.png
new file mode 100644
index 00000000..6a3c4f4f
Binary files /dev/null and b/graphics/tpm-attestation.png differ
diff --git a/manifest.json b/manifest.json
index ba196d2c..02a3cb37 100644
--- a/manifest.json
+++ b/manifest.json
@@ -17,12 +17,16 @@
           "title": "Platform"
         },
         {
-          "title": "Smallstep Overview",
+          "title": "About Smallstep",
           "routes": [
             {
-              "title": "About Smallstep",
+              "title": "Overview",
               "path": "/platform/README.mdx"
             },
+            {
+              "title": "Core Concepts",
+              "path": "/platform/core-concepts.mdx"
+            },
             {
               "title": "Smallstep API",
               "path": "/platform/smallstep-api.mdx"
diff --git a/platform/README.mdx b/platform/README.mdx
index 6d84a4e2..1a3c423f 100644
--- a/platform/README.mdx
+++ b/platform/README.mdx
@@ -4,15 +4,20 @@ html_title: What is Smallstep?
 description: Smallstep is a centralised comprehensive internal PKI toolchain, providing IT/Security/DevOps engineers with everything they need to automate the deployment, and management (renewal, revocation and monitoring) of certificates for a broad range of contexts, use cases and environments.
 ---
 
-Certificates are a fundamental part of any non-trivial architecture, as they are the strongest possible way to encrypt communications, authenticate users and devices, protect data integrity, and ensure compliance with security standards. 
+Certificates are a fundamental part of any non-trivial architecture. They provide the strongest possible way to authenticate users and devices, encrypt communications, protect data integrity, and ensure compliance with security standards. 
 
-Smallstep is a centralised comprehensive internal PKI toolchain, providing IT/Security/DevOps engineers with everything they need to automate the deployment, and management (renewal, revocation and monitoring) of certificates for a broad range of contexts, use cases and environments.
+Smallstep is a comprehensive device identity solution for securely identifying company-owned or company-managed devices using high-assurance ***cryptographically attested device identity*** certificates. 
+
+As networks and resources become increasingly distributed — with SaaS moving sensitive resources off private networks and BYOD policies introducing personal devices — threats to data confidentiality grow more aggressive. Organizations are seeking more secure methods to ensure that only authorized users on authorized devices can access sensitive resources. Provisioning trusted devices with device-attested client certificates for accessing critical resources within your organisation is the most effective way to achieve this.
+
+Smallstep provides the means to use the strongest possible assurance of device identity to ensure that only trusted company-approved devices can enroll for client certificates to access sensitive organisational resources. This procedure is facilitated through the [ACME device attestation enrolment](https://smallstep.com/blog/managed-device-attestation/), effectively protecting your organisation from data breaches caused by credential compromise or phishing.  
+
+With Smallstep, IT/Security/Network Engineers can assign certificates to devices and configure the things that rely on those certificates correctly without needing to know much about PKI. 
 
-We offer robust integration solutions for securing network connections to various resources like servers, databases, internal web applications, Kubernetes clusters, GitHub Actions, VPNs, VMs, Wi-Fi, managed devices, and more. With Smallstep, your PKI can serve as a unified foundation for certificate-driven security for all your devices, people, and workloads.
 
 <Alert severity="info">
   <div>
-    💡 If you’d like to dive deeper into certificates and PKI, see these articles from our blog:  
+    💡 Regardless, if you want to dive deeper into PKI, see some literature from our blog:  
     <ul>
        <li><a href="https://smallstep.com/blog/everything-pki/">Everything you should know about certificates and PKI but are too afraid to ask</a></li>
        <li><a href="https://smallstep.com/blog/use-tls/">The case for using TLS everywhere</a></li>
@@ -21,46 +26,52 @@ We offer robust integration solutions for securing network connections to variou
   </div>
 </Alert>
 
+# Why Cryptographic Attested Device Identity?
+Many existing solutions provide some flavor of 'device identity' where the device self-reports a unique ID for itself, or the identity is tied to a credential. 
 
-# What can you use Smallstep for?
-## Enterprise IT
+But can such device identity be trusted if an independent infallible entity does not attest to it? Does a credential still significantly identify a device if it can be moved between devices? In such scenarios, we make critical assumptions that our devices and services report information is trustworthy.
 
-Smallstep can be used to establish high-assurance device identities and restrict access by devices, ensuring that sensitive resources are only accessible from trusted company-managed devices. When combined with user identities, device identities bound to hardware can offer the strongest possible security guarantees.
+Claiming device identity should be as substantiated as declaring one's citizenship. Just as one must provide a passport, attested and signed by their nation's government to prove their citizenship, a device should also offer some form of attestation to establish its identity.
 
-Device Identity helps your organisation:
+Take the SCEP enrolment process ubiquitously employed by MDM platforms. 
 
-- [Protect against credential theft based attacks](https://smallstep.com/blog/road-to-phishing-resistant-authentication/).
-- Meet regulatory requirements and industry standards such as GDPR, HIPAA, and PCI DSS.
-- Enforce non-repudiation, so you can seamlessly verify and attribute every action.
+The Simple Certificate Enrollment Protocol (SCEP) [[**RFC**](https://en.wikipedia.org/wiki/RFC_(identifier)) [**8894**](https://datatracker.ietf.org/doc/html/rfc8894)] simplifies the process of issuing certificates to devices and 'verifying their identity' on a network. The process starts with an employee initiating enrollment through authentication with an MDM agent or link. The employee's device then receives a SCEP payload. This payload contains enrollment instructions, a SCEP server URL, and a challenge password, which the device then uses to obtain a certificate from the organisation's Certificate Authority (CA).
 
-After devices have been securely enrolled and identified, Smallstep takes care of automatically deploying client certificates to company devices for accessing each of your most important resources, such as: 
+The problem is, in this process, the device does not provide strong evidence about itself when making a request. It's hard to verify that the device belongs to a said organisation or is a known device, because there is no known identity set up for the device the first time it identifies itself. Additionally, SCEP is secured with a password, making it vulnerable to phishing—if a scammer obtains a user's credentials, they could enroll an unauthorised device. Similarly, an attacker who gains access to a configuration profile could use SCEP to obtain a certificate and impersonate the user.
 
-- Wi-Fi (for 802.1x EAP-TLS WPA-Enterprise)
-- VPN Servers
-- Zero Trust Network Access (ZTNA)
-- HTTP/3 Proxies
-- Internal Websites
-- Cloud-based collaboration suites (Google Workspace, Microsoft Office365, Zoho Workplace, Atlassian Suite, e.t.c)
-- Public SaaS applications (Stripe, Quickbooks, Slack, etc.)
+How can controls be implemented to assure that only authorised trusted devices can obtain certificates using your organisation's PKI? 
 
-### For Organisations With MDM
+The answer lies in cryptographic attested device identity: a device provides strong signed evidence, backed by hardware-bound keys, independent of the OS or user space, affirming its identity. 
 
-Smallstep integrates with your MDM to deploy client certificates to company-managed devices to enable certificate-based network authentication for Wi-Fi (802.1x EAP-TLS WPA-Enterprise), VPN, ZTNA, etc.
+Modern devices feature cryptoprocessors ([TPMs](https://smallstep.com/blog/trusted-platform-modules-tpms/) or Secure Enclaves) that are isolated from the main processor. These cryptoprocessors are shielded from tampering and unauthorized access, even if the primary operating system is compromised. They provide hardware-based security-related functions and perform cryptographic operations. Each cryptoprocessor comes with a unique asymmetric key pair, hard-coded during manufacturing, of which the public part is publicly accessible.
 
-We offer integrations for any MDMs for Apple and Windows devices that support Dynamic SCEP or ACME certificate enrollment protocols.
+To verify its identity, a device signs a challenge by decrypting data encrypted with its public key. This public key is stored on the organization's device inventory, and the decryption is done using its hardware-bound private key. After successful verification, the device receives an attested device identity certificate. With this certificate, the device can prove its identity to your organisation's Public Key Infrastructure (PKI) and obtain the necessary certificates to access organisational resources. This can be achieved with device attestation and [ACME device-attest-01 challenge](https://datatracker.ietf.org/doc/html/draft-acme-device-attest-01).
 
-![Jamf MDM Marketecture.png](/graphics/Jamf_MDM_Marketecture.png)
+ACME is a client and server protocol that uses "challenges" to ensure a client can prove control over specific identifiers for issuing a certificate. The device-attest-01 challenge allows devices to request attestation from a device inventory. They then forward the signed attestation and Certificate Signing Request (CSR) to a supported ACME server in exchange for a signed certificate from the organisation's PKI.
 
-Supported MDMs include: Jamf, Intune, Workspace ONE, Mosyle, Ivanti, Jumpcloud, and lots more. 
+This process, known as cryptographic device attestation, forms the foundation for secure, automated device enrollment, and is how we protect your resources.
 
-Smallstep can also be used as a drop-in replacement for Active Directory Certificate Services (ADCS), allowing you to transition from ADCS while still serving legacy workloads. We provide backwards-compatible support for SCEP and NDES, and also let you bring your existing Root CA with you, so you can get up and running in minutes.
+<aside>
+💡 If you’d like to dive deeper into how exactly Smallstep implements this, see [Core Concepts](https://smallstep.com/docs/platform/core-concepts/).
+</aside>
 
-![Intune MDM Marketecture.png](/graphics/Intune_flow_diagram.png)
+# How can you use Smallstep?
 
-See: 
+The Smallstep Agent is the vehicle through which Smallstep delivers cryptographically attested device identity to your organisation. It is the recommended way to identify devices and get client certificates to devices (Windows, Linux, Mac OS) for Enterprise Wi-Fi, VPN, HTTP/3 proxies, or web applications. 
 
-- [Why Your Organisation Should Be Migrating From Microsoft AD CS](https://smallstep.com/blog/migrate-from-microsoft-adcs/)
-- [How to Bring Your Own Root from AD CS to Smallstep](https://smallstep.com/blog/byor-adcs-to-smallstep/)
+It is a lightweight program that runs in the background on devices and manages end-to-end certificate lifecycle for various resources. It works with all TPM 2.0 devices—virtual TPMs, firmware TPMs, or physical TPMs—and on some TEEs and Secure Enclaves (eg. Apple Managed Device Attestation).
+
+To get started, [sign up now](https://smallstep.com/signup/).
+
+## For Organisations who do not want to use the Agent
+
+If for any reason, you cannot have the Smallstep Agent on your devices, Smallstep can still help you get certificates to devices via your MDM using SCEP. This method is less secure than the cryptographic device attestation offered by the ACME device-attest-01 challenge, which is supported by the Smallstep Agent. Regrettably, major MDM providers have yet to adopt ACME device attestation.
+
+Smallstep integrates with your MDM to deploy client certificates to company-managed devices to enable certificate-based network authentication for Wi-Fi (802.1x EAP-TLS WPA-Enterprise), VPN, ZTNA, etc.
+
+We offer integrations for any MDMs for Apple and Windows devices that support Dynamic SCEP like Jamf, Intune, Workspace ONE, Mosyle, Ivanti, e.t.c.
+
+![Jamf MDM Marketecture.png](/graphics/Jamf_MDM_Marketecture.png)
 
 <Alert severity="info">
   <div>
@@ -69,23 +80,20 @@ See:
 
     <p>In static SCEP, a single challenge password is in every SCEP payload for every device. This practice is insecure and not recommended. Furthermore, it only shows a single user in reporting. We do not support this because we believe it's crucial to provide the most secure options for your infrastructure.</p>
     <p>In contrast, for Dynamic SCEP, webhooks are used to generate new challenges and unique passwords for each device, and you would be able to see reporting for all devices.</p>
-    <p>If your MDM does not support Dynamic SCEP, your next best bet to deploy Smallstep is to use the Smallstep Agent. <em>See details below.</em></p>
   </div>
 </Alert>
 
-### For Organisations Without MDM or with Linux Devices
-
-The Smallstep Agent is the recommended way to get identify devices and get client certificates to devices for Enterprise Wi-Fi, VPN, HTTP/3 proxies, or web applications in the following scenarios: 
+Smallstep can also be used as a drop-in replacement for Active Directory Certificate Services (ADCS), allowing you to transition from ADCS while still serving legacy workloads. We provide backwards-compatible support for SCEP and NDES, and also let you bring your existing Root CA with you, so you can get up and running in minutes.
 
-- SMEs with 20 - 100 devices without an MDM
-- Linux devices
-- Managed devices under an MDM that does not support Dynamic SCEP
+![Intune MDM Marketecture.png](/graphics/Intune_flow_diagram.png)
 
-The Smallstep Agent is a lightweight program that runs in the background on devices and manages end-to-end certificate lifecycle for various resources (workloads). The agent leverages Trusted Platform Modules (TPMs) for trust bootstrapping. It works with all TPM 2.0 devices—virtual TPMs, firmware TPMs, or physical TPMs—and on some TEEs and Secure Enclaves (eg. Apple Managed Device Attestation).
+<aside>
+    Want to read more about why you should be migrating from ADCS, See: 
 
-To get started, [sign up now](https://smallstep.com/signup/).
+- [Why Your Organisation Should Be Migrating From Microsoft AD CS](https://smallstep.com/blog/migrate-from-microsoft-adcs/)
+</aside>
 
-# How Can You Use Smallstep?
+# The Smallstep Ecosystem
 
 Depending on what’s best for your infrastructure and current reality, Smallstep offers different deployment options to meets your needs: 
 
@@ -103,32 +111,26 @@ Talk to Smallstep’s Customer Engineering Team at [support.smallstep.com](http:
 
 ## Smallstep Open-Source Toolchain
 
-Our open source toolchain the most popular open-source certificate management toolchain, and was designed for DevOps and homelab or POC use cases—it’s not a device identity platform, and doesn’t solve the problems listed above.
+Our open source toolchain the most popular open-source certificate management toolchain, and was designed for DevOps and homelab or POC use cases. However, it’s not a device identity platform, and doesn’t solve the problems listed above out-of-the-box.
 
-Our open-source toolchain for certificate and PKI management features 3 components: 
+Our open-source toolchain provides IT/Security/DevOps engineers with an extensive internal PKI toolchain, which includes everything needed to automate the deployment and management (renewal, revocation, and monitoring) of certificates for a broad range of contexts, use cases, and environments.
 
-- [step CLI](https://github.com/smallstep/cli): A user-friendly command-line interface to build, operate, and automate PKI systems.
-- [step-ca](https://github.com/smallstep/certificates): A powerful online CA for secure, automated certificate management.
-- [step-issuer](https://github.com/smallstep/step-issuer) and [autocert](https://github.com/smallstep/autocert): Kubernetes-native solutions for seamless certificate issuance and management in containerized environments.
+We offer robust integration solutions for securing network connections to various resources like servers, databases, internal web applications, Kubernetes clusters, GitHub Actions, VPNs, VMs, Wi-Fi, managed devices, and more. With Smallstep, your PKI can serve as a unified foundation for cryptographic encryption and authentication for all your devices, people, and workloads.
 
-Get tinkering and [***Join our open-source Discord community*** ](https://u.step.sm/discord). 
+Our open-source toolchain for certificate and PKI management features 3 components: 
 
-## Smallstep Enterprise CA
+- step CLI: A user-friendly command-line interface to build, operate, and automate PKI systems, with built-in support for ACME & the **`device-attest-01`** challenge.
+- step-ca: A powerful online CA for secure, automated certificate management.
+- step-issuer and autocert: Kubernetes-native solutions for seamless certificate issuance and management in containerized environments.
 
-Smallstep Enterprise CA is a drop-in upgrade for open-source certificate management toolchain, offering advanced features, support, and compliance options. It extends our open source with Device Identity features and integrations. 
+[Join our open-source Discord community.](https://u.step.sm/discord)
 
-The Enterprise CA is ideal for organisations who want full On-Prem Control or need to make the transition from open-source to commercial to access Device Identity capabilities and advanced compliance options.
+## `step-ca` Pro
 
-With Enterprise CA, just like our open source toolchain, you still maintain full control over the CA and root signing keys while benefiting from our cloud-based integrations and management interface.
+`step-ca` Pro is Smallstep's drop-in upgrade for our open-source Certificate Authority server, offering advanced features, support, and compliance options. It extends our open source with high availability, active revocation, FIPS compliance, simpler integrations and APIs, and device identity features. 
 
-Key Features are:
+`step-ca` Pro is ideal for organisations who want full On-Prem Control or need to make the transition from open-source to commercial to access Device Identity capabilities and advanced compliance options.
 
-- Fast and lightweight setup on Linux, Kubernetes, and Docker
-- Smallstep Device Identity, including MDM & posture integrations and active revocation (CRL & OCSP)
-- High-volume certificate issuance with HSM integration
-- FIPS and software supply-chain compliance, including SBOM & code-signing
-- Broad support for enrollment protocols, such as SCEP, REST API, SSO (OAuth OIDC), SPIFFE, cloud identities, and Kubernetes integration
-- Connectors for existing PKI backends (AD CS, GCP CAS, AWS PCM)
-- High availability, automation, and CLM integration with Sectigo and Digicert
+With `step-ca` Pro, just like our open source packages, you maintain full control over the CA and signing keys while benefiting from our cloud-based integrations and management interface.
 
-We offer standard SLAs with 24-hour response for non-critical issues and 4-hour turnaround for critical incidents. For organizations requiring tailored assistance, enhanced support options are available, ensuring your infrastructure remains secure and operational. [Reach out](https://go.smallstep.com/request-demo) if you're looking to explore this option. 
+Interested? [Reach out to our Sales team](https://go.smallstep.com/request-demo).
diff --git a/platform/core-concepts.mdx b/platform/core-concepts.mdx
new file mode 100644
index 00000000..39bfdc94
--- /dev/null
+++ b/platform/core-concepts.mdx
@@ -0,0 +1,93 @@
+---
+title: Core Concepts
+html_title: Smallstep Core Concepts
+description: High-level overview of the major components and concepts you’ll encounter while working with the Smallstep platform, and how they interact/relate with one another to protect your resources and provide strong assurance of device identity.
+---
+![Image: Device Identity Attestation Flow](/graphics/tpm-attestation.png)
+
+# Workflow Overview
+
+Smallstep protects your organisation from phishing and data breach attacks, by limiting access to corporate resources to only company-owned or approved devices.
+
+This document provides an overview of the major components and concepts you’ll encounter in the Smallstep platform, and how they work together to protect your resources and provide strong assurance of device identity.
+
+Here's how Smallstep gets the right certificates to your devices. In this example, we'll assume we're enrolling a Windows or Linux device with a TPM 2.0 crypto processor chip. Apple devices enroll with Secure Enclave, but the workflow is similar.
+
+1. As an administrator, you register your company-owned or approved devices in the Smallstep web UI, using a permanent identifier for the device, such as the TPM 2.0 Endorsement Public Key (EKPub). Smallstep has an API and integrations that simplify syncing device identiers from other services such as MDM servers or IT asset management services.
+2. You (or your employee) installs the **Smallstep app** on a registered device. 
+3. The Smallstep app kicks off the device identity trust bootstrapping process by instructing the cryptographic processor (TPM) to create an Attestation Key (AK) pair.
+4. The Smallstep app requests a device attestation certificate (AKCert) from the **Smallstep Attestation CA**.
+5. The Smallstep Attestation CA verifies that:  
+   a) The request is coming from a company-owned or company-approved device, by checking if the EKPub is registered on your Smallstep team device inventory, and  
+   b) The request is coming from a device where the Endorsement Key is resident, by asking the TPM to decrypt a challenge encrypted by the CA using the EKPub. 
+6. Upon verification, the Smallstep Attestation CA signs an Attestation Certificate for the app. The Attestation Certificate cannot be used for any purpose other than attestation. 
+7. The app uses the Attestation certificate complete an ACME `device-attest-01` challenge from the **Agent CA** to obtain a Smallstep device certificate. 
+8. Finally, the app uses the Smallstep device certificate via an X5C **Provisioner** to obtain client certificates needed by the device, from your **Smallstep Account CA**. 
+
+This workflow requires no credentials be configured in the app. No passwords. The Smallstep device certificate is stored only in memory, never saved to disk. The client certificates may be short-lived or have TPM-protected private keys, depending on what the operating system and the target application can support.
+
+# Definitions
+
+## Device Identifiers
+
+Before restricting access to organizational resources to only your devices, you must register your devices. Smallstep offers a device API to register and document your devices.
+
+Cryptographic processors used to establish trust in a device workflow come with a unique per-device asymmetric key pair that is hardcoded during manufacturing. For TPM modules, this key pair is known as the Endorsement Key. Sometimes, the TPM's manufacturer signs and includes an Endorsement Key Certificate (EKcert). For Apple's Secure Enclave, this is the Secure Enclave UID, a root cryptographic key fused to the secure enclave during manufacturing, and is inaccessible even to Apple. 
+
+A third party could verify possession of an Endorsement Key pair by encrypting a small piece of data with the public key and asking the TPM to decrypt it with the private key. This simple device authentication mechanism offers the highest assurance that a request originates from a known device, compared to the SCEP + MDM enrolment process.
+
+## Smallstep app
+The Smallstep app is a desktop app that offers a uniform experience for device identity across macOS, Windows, and Linux. It is the foundation for Smallstep's high-assurance device identity attestation workflow, automating the issuance of certificates to devices and configuring the components that depend on these certificates. 
+
+The app is installed on individual company-managed devices and operates without administrative privileges. It only collects the device security context essential for your organisation's administrative policy configuration.
+
+After proving its identity to the Smallstep Attestation CA, the app obtains a device identity certificate. This device certificate is then used to obtain short-lived client resources for accessing organisational resources such as Wi-Fi or VPN networks, ensuring that sensitive organisational resources are only accessible from trusted company-managed devices.
+
+## Smallstep Attestation CA
+The Smallstep Attestation CA service is responsible for verifying the identity of a device that is authenticating itself. It confirms that the key presented by the device is hardware-bound and that the device is a known device registered to your Smallstep team account.
+
+The Attestation CA carries out a challenge/response protocol with the attestor (the device with the TPM) to validate the TPM's identity and issue an attestation certificate to the device. Subsequently, the device uses the attestation certificate to acquire a device identity certificate from the Agent CA.
+
+For a device to successfully complete an ACME Device Attestation challenge and obtain a high-assurance device identity certificate, it must present a valid attestation certificate (chain) signed by a trusted Attestation CA.
+
+Devices like Apple and Yubikeys have an Attestation CA maintained by their manufacturers. However, not all devices with TPMs (and similar tech) operate in environments where an Attestation CA is available that can (remotely) attest to device identity.
+
+The Attestation CA was built into the Smallstep platform to provide a uniform standard device identity attestation protocol.
+
+## Agent CA
+The Agent CA is the certificate authority responsible for issuing, renewing, and revoking device certificates for device identity. It is configured to trust the Smallstep Attestation CA. As a result, when the app receives an Attestation Certificate from the Smallstep Attestation CA, it can use this certificate to procure a device identity certificate from the Agent CA by completing an ACME device-attest-01 challenge or another certificate enrollment method, in cases where the former is not possible.
+
+## Attestation Key (AK) Certificate
+An Attestation Certificate (AKcert) is a type of device identity certificate stored in the TPM, with its private key hardware-bound. The Attestation Certificate is provided to a trusted device after the Smallstep Attestation CA has verified its authenticity.
+
+To obtain an Attestation Certificate, the device must demonstrate to the Attestation CA that it possesses the hardware-bound private key of the cryptoprocessor. This Attestation Certificate is only used to establish a trust relationship with the device. The device uses it to acquire a device certificate, which is then used as an authentication token for client certificates.
+
+## Account
+An account is the means by which an end-user can access a resource protected by Smallstep, such as Wi-Fi, VPN, or a website. For instance, employees (their registered devices) in an organization who need access to a Wi-Fi network are issued Wi-Fi account certificates for their devices.
+
+## Account CA
+The Account CA is the certificate authority responsible for issuing 24-hour short-lived certificates for securely accessing different resources. When you create a Wi-Fi or VPN account via the Smallstep web app UI or API, the Agent obtains the respective Wi-Fi or VPN access certificate from the Account CA.
+
+Every Smallstep team has one Account Certificate Authority (CA). For each account created, an X5C provisioner is created.
+
+After the Agent has obtained a device identity certificate from the Agent CA, it uses this certificate to obtain the necessary client certificate from the Account CA via an X5C provisioner. The Account CA trusts the Agent CA as a root of trust and verifies every request against the Agent CA’s public key.
+
+## Device Collection
+A Device Collection is a named group of specific devices of the same ***type***, which share configurations or policies.
+
+A device type refers to a specific variant of a kind (such as VMs, laptops, or mobile phones) that runs the same OS (Windows, MacOS, Linux, iPadOS, or iOS), and comes from the same source (AWS, GCP, Azure, etc.). For instance, AWS VMs, Azure VMs, GCP VMs, and Linux laptops are different types of devices.
+
+Device Collections are useful for applying shared configurations.
+
+## Provisioners
+
+Provisioners provide various mechanism to authenticate certificate signing requests. The role of a Certificate Authority is to issue certificates to end entities, and it needs to somehow verify that the entity is authorised to make a certificate request.
+
+Used to help bootstrap new entities into the PKI, each Provisioner addresses a particular environment. A certificate authority can have support different provisioners for enabling different use cases. A few examples include:
+
+- **X5C provisioner** - Useful for when a client can authenticate a certificate request using an existing X.509 certificate from a different CA. It allows clients to use a different PKI to bootstrap trust. Configure this provisioner with a root CA certificate, and any certificate that chains up to that root can be used in a certificate request.
+- **ACME Provisioner** - Useful for automating TLS certificates, the ACME provisioner provides CSR generation, domain ownership verification, certificate download, and installation. With support for all of the ACME challenge types supported by Let’s Encrypt (HTTP, DNS, ALPN), the ACME provisioner unlocks the entire ACME ecosystem of tools and clients.
+- **The SCEP Provisioner** - Useful for signing and renewing certificates using the SCEP protocol ([RFC8894](https://datatracker.ietf.org/doc/html/rfc8894)). SCEP is very popular for use in network equipment and mobile device management (MDM). It runs over HTTP using POSTed binary data or base64-encoded GET parameters, using CMS (PKCS#7) and CSR (PKCS#10) data formats, and a (shared) secret authenticates clients to the CA.
+- **Cloud API Provisioners** - Useful for issuing certificates to public cloud virtual machines, Cloud API Provisioners use the native cloud provider API and instance identity documents to automate certificates. With support for AWS, GCP, and Azure metadata APIs, the Cloud API provisioner accelerates secure cloud operations.
+- **OIDC Provisioner** - Useful for getting certificates to people, the OAuth/OpenID Connect (OIDC) Provisioner uses identity tokens for authentication. With this provisioner, you can use single sign-on with G Suite, Okta, Azure Active Directory, or any other OAuth OIDC provider to verify the user's identity before issuing a certificate.
+- **JWK Provisioner** - Useful for a broad range of workflows, the JWK provisioner provides a flexible JSON Web Token-based authentication flow. Often paired with infrastructure automation solutions, the JWK Provisioner can deliver one-time tokens to a new workload to later be exchanged for an x.509 certificate.