Because maybe you’ve done the ‘self-signed certificate’ rigmarole with OpenSSL a dozen times already.Because the ACME protocol (used by Let’s Encrypt) can easily be deployed internally, so you can automate renewal and never have to think about your certificates.Because TLS client authentication is becoming more widely supported in different services, and it’s a lot better than passwords.Internal networks are no longer perceived as a safe zone where unencrypted traffic is okay. Because end-to-end TLS is great and you should easily be able to run TLS wherever you need it.Why would I want a Certificate Authority in my homelab?!
We’ll also use an open-source True Random Number Generator, called Infinite Noise TRNG, to spice up the Linux entropy pool.
The YubiKey will securely store the CA private keys and sign certificates, acting as a cheap alternative to a Hardware Security Module (HSM). It will be an internal ACME server on our local network (ACME is the same protocol used by Let’s Encrypt). TL DR In this tutorial, we’re going to build a tiny, standalone, online Certificate Authority (CA) that will mint TLS certificates and is secured with a YubiKey.
0 kommentar(er)
