#nerdcert — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #nerdcert, aggregated by home.social.
-
OK. Now that I understand how to create working S/MIME certificates for signed and/or encrypted eMail with my own Certificate Authority (CA), I can take it to the next level. Federated CAs. Decentralised trust relationships between CAs. https://smallstep.com/blog/step-v0.8.3-federation-root-rotation/
-
TIL (Today I learned) about RFC9495 https://datatracker.ietf.org/doc/rfc9495/ that extends RFC8659 by adding a new CAA property in DNS called "issuemail" that defines wich CA(s) (Certification Authorities) are allowed to create S/MIME eMail certificates for a domain. And if you don't use S/MIME, you should set it to ";" which means that no CA is allowed to do that.
So I added
CAA 0 issuemail ";"
to the dns of my domains until my CA (Certificate Authority) can produce S/MIME certificates.
-
And because it's called podman for a reason, the CA now runs in a pod, so I can add more containers to it, if needed. I will update the gists to reflect that change. (UPDATE: Done)
4/4
-
So now my Cute Homelab has its own CA (Certificate Authority), neatly packed in a container that works with certbot and I can use valid certificates all over my homelab and local network for more experiments :) And it only uses 17MB of RAM.
3/4
-
Added a few new gists on setting up a homelab Certificate Authority (CA) on a RHEL 10 machine with step-ca as podman container in preparation for a longer blogpost on the topic.
- Basic Step CA setup as podman container
- Manually add a root CA certificate to RHEL 10
- Manually generate certificates with Step CAhttps://codeberg.org/jwildeboer/gists/src/branch/main
Tomorrow I will add a gist on using certbot to renew certificates in my homelab using that CA.
1/4
-
- Created a working Certificate Authority as podman container (totally NOT secure, for testing only)
- Made it trusted on Linux (RHEL), iOS and MacOS by importing the root cert the right way
- Generated and installed working certificates for my homelab machinesDocumented those basics as gists at https://codeberg.org/jwildeboer/gists/src/branch/main
-
The first certificate created by #nerdcert, with a very untrustworthy Alpha CA setup.
The certificate is working on my iPhone. This is just a very first test, but seeing it doing what it’s supposed to do is very satisfying. Nice.
Read more about the ideas at https://nerdcert.eu (which has a letsencrypt certificate ;)
-
This topic has been occupying my brain cycles for quite some time now. It's already so deep down that I spontaneously sing "I am CA" to the Village People's YMCA song :) So it's time to share with you all and get more input. (CA is Certification Authority in x.509 lingo, I'll explain it all in my blog series :) (Why didn't #cacert think about this many years ago? Damn ;)
-
This topic has been occupying my brain cycles for quite some time now. It's already so deep down that I spontaneously sing "I am CA" to the Village People's YMCA song :) So it's time to share with you all and get more input. (CA is Certification Authority in x.509 lingo, I'll explain it all in my blog series :) (Why didn't #cacert think about this many years ago? Damn ;)
-
This topic has been occupying my brain cycles for quite some time now. It's already so deep down that I spontaneously sing "I am CA" to the Village People's YMCA song :) So it's time to share with you all and get more input. (CA is Certification Authority in x.509 lingo, I'll explain it all in my blog series :) (Why didn't #cacert think about this many years ago? Damn ;)
-
This topic has been occupying my brain cycles for quite some time now. It's already so deep down that I spontaneously sing "I am CA" to the Village People's YMCA song :) So it's time to share with you all and get more input. (CA is Certification Authority in x.509 lingo, I'll explain it all in my blog series :) (Why didn't #cacert think about this many years ago? Damn ;)
-
Forcing myself to share my thoughts on x.509 certificates. Here's the introduction:
"x.509 certificates are boring. They're everywhere. They connect "things". Like browsers and websites. Like (micro)services. IoT (Internet of Things) devices. E-mail servers. Printers. They make (SSL/TLS) connections secure. Since many years. And they are, in my humble opinion, in trouble. Part One: Something's Brewing. Or, alternatively: Boring is Good But It can become Better."
Soon a blog post.
-
Bought a third (refurbished) ThinkCentre M910q Tiny (i5-6500T, 16GB RAM, 256GB SSD, €115) to serve as a test bed for running an air-gapped CA (Certification Authority) with a Nitrokey HSM.
I might soon need to get the 9U or 12U 10 inch rack :)
-
(soon a blog post)
Thinking about setting up a little cooperative called #nerdcert. Where we use letsencrypt style certificate generation, renewals and distribution, with ACME support, but only for certificates that have EKU (Extended Key Usage) entries that go beyond serverAuth, the only thing Google will accept from mid next year :) Context: Thread and replies at https://social.wildeboer.net/@jwildeboer/114517884390728050