Prepare HTTP (plain HTTP, no TLS) server to serve your intermediate/signing certificates (for AIA protocol) and CRL (for validation)

Or create a repository on Github, point ca.yourdomain.com to Github Pages and publish there. Doing this solves the PKI chicken-and-egg problem for a homelab and doesn’t tie up any resources to serve them.

How are you handling RootCA secrets? Right now, I’m using a (couple) USB drive with a two Luks partitions, one for CA key backup and Yubikey management and PUK keys, then one that only contains the PIN which is fetched by OpenSSL using -passin file:xxx.

I’ve been a little concerned about being able to properly back all that up, so I was thinking about using KeepassXC and the CLI tool to replace the partitions.

For my Root I use OpenSSL with the pkcs11 module to keep the keys on a Yubikey, then I use Step CA as an intermediate/issuing.