I love my homelab, and the more I tune things the more satisfaction I have. I tolerated the “Your connection is not private” for my self-signed SSL certs on my services for way too long.
I just setup NGINX Proxy Manager as a LXC on my Proxmox Server and pointed a subdomain I own to the server. Now I have custom domains for each service along with valid SSL Certificates. It’s all local without exposing anything to the outside world. It’s very satisfying. I tried explaining what I was doing to my GF but she could care less ¯\_(ツ)_/¯
Followed this video from Wolfgang’s Channel YouTube (great channel btw), the first minute does a better job explaining the setup. I always thought I would have to setup a local CA which is more work than I was interested in, but this approach was much simpler (and free!).
Thank you, I’m actually currently building my CA. Planning for an offline root. Question, what free or not enterprise prices software options are there? I have entrust at work, looking for something I can use at home.
For my Root I use OpenSSL with the
pkcs11module to keep the keys on a Yubikey, then I use Step CA as an intermediate/issuing.Ha! You run the same stack as I do. 🙂
How are you handling RootCA secrets? Right now, I’m using a (couple) USB drive with a two Luks partitions, one for CA key backup and Yubikey management and PUK keys, then one that only contains the PIN which is fetched by OpenSSL using
-passin file:xxx.I’ve been a little concerned about being able to properly back all that up, so I was thinking about using KeepassXC and the CLI tool to replace the partitions.
I asked EODdoUbleU on the parent comment here, but could you please reply to that question as well?
Planning to use Yubikey for one of my subCAs. Do you know a good writeup on OpenSSL+Yubikeys?
Also, which Yubikey slot do you use for storing the cert/pkey?