…and WireGuard it together. I also did this before I got static IPs…

Well, I used it as a VPN to go home, but the principle is the same.

I’m more scared of online services being discontinued and/or being getting vendor locked and forced to pay ransom on a regular basis. Therefore, I host and back up everything on my own.

There has been a report that certain devices (IoT, modems, BMCs, routers, switches, remote management) that use proprietary implementation of SSH instead of OpenSSH are vulnerable to private key exposure/compromise.

Maybe I would go a small step further and go for rootless Podman.

The power of step-ca is that it supports lots of protocols for automation keys/certificates issuing, renewing, or rekeying.

You’ll still most probably want to use OpenSSL to generate your chain. step-ca seems to be unnecessary work/step for your case.

By the way, the only “service” in my setup that doesn’t support TLS automation is my remote UPS management card. Even though I think I might be able to hack it. 😁 The rest is perfectly automatable. 🙂

HTTP! Not HTTPS! No chicken and egg problem here.

Ha! You run the same stack as I do. 🙂

No, it is not so difficult. But you need a bit of planning.

First of all, you need a way to distribute your ROOT certificate to your clients. That’s more a question of automation.

Second, you need to prepare the topology with certain rules. Things like dedicated certificates for people (identity), services (server certificates for dedicated subdomains), machine clients (for mTLS and zero-trust), infrastructure stuff like BMC/IPMI, UPS, routers…

Basically, the rules are:

1. Self signed ROOT certificate
2. Intermediate CA (signing certificate)
3. (Optional) signing certificate

In case of multiple (dedicated) certificates, you want to make the split at the intermediate/signing level. The chain will help you enforce the rules.

You should decide which algorithm to use (RSA vs. ECC).

Finally, you need a piece of software that will create and sign the certificates for you. This software must authenticate you and check your request if it comforms to the rules above.

I’m using multiple instances of step-ca. Most of the famous certificate management solutions (the service side asking your authority for a certificate, including rekeying/renewal) support it. Which is good. Standard protocols are always better than in-house _solutions workarounds.

To start building your CA:

1. Learn about PKI (good start is RFC-5280
2. Learn OpenSSL, how to deal with openssl.conf, sections, ASN.1
3. If you need additional information on the certificate, register for your own Private Enterprise Number. Do not abuse existing attributes!
4. Prepare HTTP (plain HTTP, no TLS) server to serve your intermediate/signing certificates (for AIA protocol) and CRL (for validation)
5. Put your intermediate/signing key/certificate to step-ca as a ROOT and you’re good to go.

You can also incorporate HSM if you have one. Just configure its pkcs11 module in the OpenSSL and in the step-ca.

As it is quite a complex topic, feel free to drop additional questions. 👍

Welcome to the TLS family! I personally run my own CA, but the end result is the same. 🙂 Welcome and enjoy! 😛