local CA with ACME capability
Posted by Flaky_Key3363@reddit | sysadmin | View on Reddit | 5 comments
I need a local CA for internal certs. I'm considering building a cloud-init created VM to hold a local CA.
When I created a manual version of this a couple of years ago for a customer, used small step's community package. since that time, small step has put up a wall around their product offering and it feels like they are hiding their community package. I am reluctant to use small step because I would be creating something that looks like it competes with their product offering.
Are there any other ACME capable CAs that are more open?
racomaizer@reddit
How difficult it is to track their GitHub release page? Official deb package, packaging effort has been made in Arch, Alpine, NixOS. Container image available too.
How could your local CA “creating something that looks like it competes with their product offering”?
MarbinDrakon@reddit
I used to use Dogtag for a local ACME issuer in my lab but have recently swapped over to Hashicorp Vault's PKI engine with ACME enabled now that they have it available. Vault can be a little much (dealing with auto-unseal, HA, etc) if all you need is the PKI part.
Enterprise support is available for both in some form (Red Hat Certificate System or RHEL IdM for Dogtag and Vault Enterprise from Hashicorp) but the ACME functionality is not locked behind enterprise licensing.
sheephog@reddit
This is probably above me, but from homelab experience.. i would have a dns challenge for a wildcard cert, and utilise my reverse proxy to manage. This way i have certs for my internal services. Of course this is homelab, using lets encrypt and nginx for reverse proxy..
Flaky_Key3363@reddit (OP)
For home lab, wild Card certs acceptable because the primary use, in my opinion, is to get rid of the warnings in browsers.
My goal for this VM is to provide local short lifetime certificates for higher security, I also hope to figure out how to make SSH work with short lifetime certificates and, satisfy the certificate requests for small business cyber insurance policies.
I'm not planning on making this a super secure environment because that is more work than I'm willing to do for free. I'm not sure where the practical upper limit is for a tiny CA like this but I know that at some point running your own CA doesn't make any sense and it's time to go to someone like small step.
sheephog@reddit
Aha, thanks for the insight.