Is there a self hosted mTLS manager?

⁨31⁩ ⁨likes⁩

Submitted ⁨⁨4⁩ ⁨days⁩ ago⁩ by ⁨possiblylinux127@lemmy.zip⁩ to ⁨selfhosted@lemmy.world⁩

I’m looking for a self service type page that allows me to sign in and download new certs.

source

Comments

Sort:hotnew top

frongt@lemmy.zip ⁨4⁩ ⁨days⁩ ago
mTLS is mutual TLS, more commonly known as client cert authentication (alongside the modern standard server authentication), for anyone else who has never heard of it by that name

source
- False@lemmy.world ⁨4⁩ ⁨days⁩ ago
  I’ve never heard it called anything but mTLS. :shrug:
  
  source
- EncryptKeeper@lemmy.world ⁨3⁩ ⁨days⁩ ago
  mTLS is the more common name these days.
  
  source
supersheep@lemmy.world ⁨4⁩ ⁨days⁩ ago
VaulTLS: github.com/7ritn/VaulTLS

source
- possiblylinux127@lemmy.zip ⁨4⁩ ⁨days⁩ ago
  This is what I was looking for
  
  source
- corsicanguppy@lemmy.ca ⁨4⁩ ⁨days⁩ ago
  Container crutches. Ew.
  
  source
tinkerings@piefed.zip ⁨4⁩ ⁨days⁩ ago
In the interest of giving more than “there are tons of those” I’ll suggest starting the search with https://caddyserver.com/

It provides a CA, reverse proxy, and can act as its own ACME server, providing mTLS between instances.

source
solrize@lemmy.ml ⁨4⁩ ⁨days⁩ ago
You mean a self hosted CA? Yes there are tons of those.

source
- mike_wooskey@lemmy.thewooskeys.com ⁨4⁩ ⁨days⁩ ago
  I self-host a CA server with [step-ca](github.com/smallstep/certificates], and I also use it to create my mTLS certs.
  
  source
EpicFailGuy@lemmy.world ⁨3⁩ ⁨days⁩ ago
Give the Pangolin project a look.

It’s a reverse proxy with tunneling solution that can expose domain names to the internet without having to manage the certificates or open ports.

I use it in my home lab and it’s very very good

docs.pangolin.net

source
brownmustardminion@lemmy.ml ⁨4⁩ ⁨days⁩ ago
I use Minica and it’s insanely simple to use. Terminal based though.

github.com/jsha/minica

source
glizzyguzzler@piefed.blahaj.zone ⁨4⁩ ⁨days⁩ ago
If you feel up for answering, what is your use case for wanting to manage your own mTLS?

source
- bear@slrpnk.net ⁨4⁩ ⁨days⁩ ago
  My main use case is using it to protect my exposed Home Assistant instance in a way that doesn’t require a VPN that family can screw up. I can just install the cert into the app for them and it Just Works. I also use it for my own Gotify notifications.
  
  As a more general rule, I apply it to anything I want to expose but can’t easily protect using OIDC logins.
  
  source
  - glizzyguzzler@piefed.blahaj.zone ⁨4⁩ ⁨days⁩ ago
    I’ve found Authentik’s proxy will break things that don’t support it (like a Jellyfin app; afaik no app supports hitting an Authentik proxy login first). Do you have a way around that? Or are the friends/fam web-browser only unless they get around to the certificate?
    
    source
    -> View More Comments
- possiblylinux127@lemmy.zip ⁨4⁩ ⁨days⁩ ago
  I don’t want to manage my mTLS. That’s why I’m looking for a better solution.
  
  source
  - glizzyguzzler@piefed.blahaj.zone ⁨4⁩ ⁨days⁩ ago
    Gotchya, so at the reverse proxy stage you have a pathway for “if they have the mTLS certificate, allow in” to let you access your stuff from outside your local network?
    
    source