I love my homelab, and the more I tune things the more satisfaction I have. I tolerated the “Your connection is not private” for my self-signed SSL certs on my services for way too long.

I just setup NGINX Proxy Manager as a LXC on my Proxmox Server and pointed a subdomain I own to the server. Now I have custom domains for each service along with valid SSL Certificates. It’s all local without exposing anything to the outside world. It’s very satisfying. I tried explaining what I was doing to my GF but she could care less ¯\_(ツ)_/¯

Followed this video from Wolfgang’s Channel YouTube (great channel btw), the first minute does a better job explaining the setup. I always thought I would have to setup a local CA which is more work than I was interested in, but this approach was much simpler (and free!).

  • EODdoUbleU@alien.topBEnglish
    1·
    1 year ago

    For my Root I use OpenSSL with the pkcs11 module to keep the keys on a Yubikey, then I use Step CA as an intermediate/issuing.

      • EODdoUbleU@alien.topBEnglish
        1·
        1 year ago

        How are you handling RootCA secrets? Right now, I’m using a (couple) USB drive with a two Luks partitions, one for CA key backup and Yubikey management and PUK keys, then one that only contains the PIN which is fetched by OpenSSL using -passin file:xxx.

        I’ve been a little concerned about being able to properly back all that up, so I was thinking about using KeepassXC and the CLI tool to replace the partitions.

    • Simon-RedditAccount@alien.topBEnglish
      1·
      1 year ago

      Planning to use Yubikey for one of my subCAs. Do you know a good writeup on OpenSSL+Yubikeys?

      Also, which Yubikey slot do you use for storing the cert/pkey?