Comment

Comment on HTTPS on homelab (just locally)

Yes, LetsEncrypt with DNS-01 challenge is the easiest way to go. Be it a single wildcard for all hosts or not.

Running a CA is cool however, just be aware of the risks involved with running your own CA.

You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.

source

Sort:hotnew top

Findmysec@infosec.pub ⁨4⁩ ⁨months⁩ ago
Running a CA is cool however, just be aware of the risks involved with running your own CA.

All they say that if the private key is stolen then you’re screwed. Think about it, if an attacker can:

Get into your network.

Presumably bypass key-based ssh/container runtime protections

Access pod/VM which is running the CA

Bypass default MAC settings (Apparmor on debian, SELinux on RHEL)

Steal private key without you knowing on your logs

You have a much bigger problem my friend
source
- TCB13@lemmy.world ⁨4⁩ ⁨months⁩ ago
  While I agree with you, an attacker may not need to go to such lengths in order to get the PK. The admin might misplace it or have a backup somewhere in plain text.
  
  source