Build a Tiny Certificate Authority For Your Homelab
TL;DR In this tutorial, we're going to build a tiny, standalone, online Certificate Authority (CA) that will mint TLS certificates and is secured with a YubiKey. It will be an internal ACME server on our local network (ACME is the same protocol used by Let's Encrypt). The YubiKey will securely store the CA private keys and sign certificates, acting as a cheap alternative to a Hardware Security Module (HSM). We'll also use an open-source True Random Number Generator, called Infinite Noise TRNG, to spice up the Linux entropy pool.
Now, insert your YubiKey. Let's install the yubikey-manager (and dependency pcscd) and make sure you can connect to the YubiKey:
You'll need to install both step-ca (the CA server software) and step (the command used to configure and control step-ca).
Infinite Noise TRNG is an open-source USB True Random Number Generator. It uses a "modular entropy multiplier" architecture to generate a lot of random data quickly. For this setup, a daemon will continuously feed entropy into Linux's system entropy pool by writing to /dev/random.
/https://public-media.si-cdn.com/filer/9f/61/9f610676-9962-4627-ae89-bf59fc6cb735/lod_mosaic_lower_register_web.jpg)
