Step CA is really the way to go! I even got it working with a true random number generator. If you put your root key on a yubiki, it’s even more secure! They have beautiful tutorials.
The signing part of this never seemed particularly difficult. Keeping the host key safe was, but U2F dongles are cheap and you can use them to store the private key. Beyond that, revocation is the other hard bit. Managing revocation lists is annoying enough that you typically want to do two-deep chains where you sign one signing cert per use and then use that to generate short-lived certs via ACME (or similar), which means you also want an ACME server and then the infrastructure complexity starts to grow.
I do something similar with https://github.com/smallstep/cli.
It’s a lot simpler with that tool.
Step CA is really the way to go! I even got it working with a true random number generator. If you put your root key on a yubiki, it’s even more secure! They have beautiful tutorials.
The signing part of this never seemed particularly difficult. Keeping the host key safe was, but U2F dongles are cheap and you can use them to store the private key. Beyond that, revocation is the other hard bit. Managing revocation lists is annoying enough that you typically want to do two-deep chains where you sign one signing cert per use and then use that to generate short-lived certs via ACME (or similar), which means you also want an ACME server and then the infrastructure complexity starts to grow.
I find it pretty interesting that to get certs to work for modern browsers, you don’t need any CRL/OCSP setup at all…
In fact step ca doesn’t even support CRLs because they’re hoping your cert life is in the days or hours instead of months
It’s surprising how few clients check for revocation anyway
Browsers don’t like CRLs because they add latency, but unfortunately they don’t recommend an alternative.
Short life i suppose