Jan Wildeboer 😷:krulorange:
New (long and nerdy) blog post: "Be the LetsEncrypt in your homelab with step-ca" at https://jan.wildeboer.net/2025/07/letsencrypt-homelab-stepca/ where I explain my homelab setup with its own CA (Certificate Authority) on RHEL 10 (Red Hat Enterprise Linux) machines.
Replies to this toot will show up as comments on the blog post.
Mauricio Teixeira 🇧🇷🇺🇲
@jwildeboer
This is great content! Good job!
I've been running my StepCA for a while (even with private/not exposed DNS), so I would like to add a couple of points for you to think about:
a) I'm a little paranoid, so I made sure to tell the CA that it can only issue certs to specific domains (not even the sub-domains). Like this: step ca policy authority x509 allow dns "*.<your-dns-zone>". If you want a sub-domain, you need to add *.sub.zone. (this can be edited directly in ca.json as well).
b) One problem that hits me every once in a while is about devices or services that do not accept private CAs. Either you have to jump through hoops to make them work or, worse, some of them to not work at all. It's rare, but when it happens it's frustrating.
I've been using my CA with NGINX and Caddy for a while, but last week I got it working with CertManager in a Kubernetes cluster. I just need to find time to blog about it. 😄
Mauricio Teixeira 🇧🇷🇺🇲
@jwildeboer
Yep. Looks good. 👍
Jan Wildeboer 😷:krulorange:
@badnetmask Good point! I have added a "policy" block to limit cert creation. I hope it is correct? I tested it on my setup and it seems to do what I expect.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.