Comment on Do you run a private CA? Could you tell me about your certificate setup if you do?
TCB13@lemmy.world 11 months ago
Written in go, very small and portable: github.com/FiloSottile/mkcert. There’s also step-ca, bigger and uses ACME to deploy certificates, never used it tho.
Just be awake of the risks involved with running your own CA.
MigratingtoLemmy@lemmy.world 11 months ago
Thanks, could you tell me why one would run this over plain OpenSSL with automation? Also, what risks would I run running a private CA? I’d love to know!
TCB13@lemmy.world 11 months ago
Those projects essentially are the automation…
…stackexchange.com/…/what-are-the-risks-of-instal…
More or less you’re adding a root certificate to your systems that will effectively accept any certificate issues with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is removed and not trusted by anyone.
MigratingtoLemmy@lemmy.world 11 months ago
I do realise the security problem in keeping the private key safe. I plan to use a VM with encrypted storage underneath. Do you think that’s OK for a homelab, or should I invest time into integrating HSM modules from Nitrokey?
TCB13@lemmy.world 11 months ago
Why are you pushing for your own CA in the first place?