Hi, I was looking at private CAs since I don’t want to pay for a domain to use in my homelab.
What is everyone using for their private CA? I’ve been looking at plain OpenSSL with some automation scripts but would like more ideas. Also, if you have multiple reverse-proxy instances, how do you distribute domain-specific signed certificates to them? I’m not planning to use a wildcard, and would like to rotate certificates often.
Thanks!
Edit: thank you for everyone who commented! I would like to say that I recognise the technical difficulty in getting such a setup working compared to a simple certbot setup to Let’s Encrypt, but it’s a personal choice that I have made.
Finally got around to replying to the comments I got haha!
Thanks for the explanation. I’m curious why you’re not running your own CA since that seems to be a more seamless process than having to deal with ugly SSL errors for every website, every time you rotate the certificate.
I’m wondering about different the process is between running an ACME server and another daemon/process like
certbotto pull certificates from it, vs writing an ansible playbook/simple shell script to automate the rotation of server certificates.About my clients: I am likely never going to purchase Apple products since I recognise how much they lock down their device. Unfortunately, there are not that many android devices in the US with custom ROM support. With that said, I do plan to root all of my Android devices when KernelSU matures (in about a year, I think) - I’m currently reading up on how to insert a root and client certificate into Android’s certificate store, but I think it’s definitely possible. Other than that, I might have a throwaway Windows VM sometimes, which is doable, alongside a Void linux box with a Debian chroot. All in all, fairly doable, just a bit of work to automate.
Thanks!