Comment on Do you run a private CA? Could you tell me about your certificate setup if you do?
MigratingtoLemmy@lemmy.world 9 months agoThanks, could you tell me why one would run this over plain OpenSSL with automation? Also, what risks would I run running a private CA? I’d love to know!
TCB13@lemmy.world 9 months ago
Those projects essentially are the automation…
…stackexchange.com/…/what-are-the-risks-of-instal…
More or less you’re adding a root certificate to your systems that will effectively accept any certificate issues with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is removed and not trusted by anyone.
MigratingtoLemmy@lemmy.world 9 months ago
I do realise the security problem in keeping the private key safe. I plan to use a VM with encrypted storage underneath. Do you think that’s OK for a homelab, or should I invest time into integrating HSM modules from Nitrokey?
TCB13@lemmy.world 9 months ago
Why are you pushing for your own CA in the first place?
MigratingtoLemmy@lemmy.world 9 months ago
I would not like to use a public domain for my internal network. By extension, I do not want any public CA to know the domains and subdomains I use in my lab and home network