Jan Wildeboer 😷Aug 13, 2025

OK. Now that I understand how to create working S/MIME certificates for signed and/or encrypted eMail with my own Certificate Authority (CA), I can take it to the next level. Federated CAs. Decentralised trust relationships between CAs. https://smallstep.com/blog/step-v0.8.3-federation-root-rotation/

#SelfHost #CA #x509 #nerdcert

Step v0.8.3: Federation and Root Rotation for step Certificates

The purpose of federation is to allow for secure communication across autonomous systems (e.g., across clouds or between kubernetes clusters). In this post, we’ll take a closer look into how federation works and how the step toolkit expands robust identity bootstrapping beyond a single Kubernetes cluster, cloud, or VM without getting bogged down by operational challenges.

Jan Wildeboer 😷Aug 10, 2025

TIL (Today I learned) about RFC9495 https://datatracker.ietf.org/doc/rfc9495/ that extends RFC8659 by adding a new CAA property in DNS called "issuemail" that defines wich CA(s) (Certification Authorities) are allowed to create S/MIME eMail certificates for a domain. And if you don't use S/MIME, you should set it to ";" which means that no CA is allowed to do that.

So I added

CAA 0 issuemail ";"

to the dns of my domains until my CA (Certificate Authority) can produce S/MIME certificates.

#SMIME #CA #NerdCert

RFC 9495: Certification Authority Authorization (CAA) Processing for Email Addresses

The Certification Authority Authorization (CAA) DNS resource record (RR) provides a mechanism for domains to express the allowed set of Certification Authorities that are authorized to issue certificates for the domain. RFC 8659 contains the core CAA specification, where Property Tags that restrict the issuance of certificates that certify domain names are defined. This specification defines a Property Tag that grants authorization to Certification Authorities to issue certificates that contain the id-kp-emailProtection key purpose in the extendedKeyUsage extension and at least one rfc822Name value or otherName value of type id-on-SmtpUTF8Mailbox that includes the domain name in the subjectAltName extension.

IETF Datatracker
Show threadJan Wildeboer 😷Jul 29, 2025

And because it's called podman for a reason, the CA now runs in a pod, so I can add more containers to it, if needed. I will update the gists to reflect that change. (UPDATE: Done)

4/4

#nerdcert #homelab #SelfHost #x509 #CA

Jan Wildeboer 😷Jul 29, 2025

So now my Cute Homelab has its own CA (Certificate Authority), neatly packed in a container that works with certbot and I can use valid certificates all over my homelab and local network for more experiments :) And it only uses 17MB of RAM.

3/4

#nerdcert #homelab #SelfHost #x509 #CA

Jan Wildeboer 😷Jul 29, 2025

Added a few new gists on setting up a homelab Certificate Authority (CA) on a RHEL 10 machine with step-ca as podman container in preparation for a longer blogpost on the topic.

- Basic Step CA setup as podman container
- Manually add a root CA certificate to RHEL 10
- Manually generate certificates with Step CA

https://codeberg.org/jwildeboer/gists/src/branch/main

Tomorrow I will add a gist on using certbot to renew certificates in my homelab using that CA.

1/4

#nerdcert #homelab #SelfHost #x509 #CA

gists

A collection of short notes on specific little things that are good enough to share but not yet valuable enough for a blog entry. Mostly geeky stuff. Free to copy/paste, no restrictions from my side. Artisanal, hand typed content. No AI.

Codeberg.org
Jan Wildeboer 😷Jul 28, 2025

#nerdcert #3GoodThings

- Created a working Certificate Authority as podman container (totally NOT secure, for testing only)
- Made it trusted on Linux (RHEL), iOS and MacOS by importing the root cert the right way
- Generated and installed working certificates for my homelab machines

Documented those basics as gists at https://codeberg.org/jwildeboer/gists/src/branch/main

Jan Wildeboer 😷Jul 28, 2025

The first certificate created by #nerdcert, with a very untrustworthy Alpha CA setup.

The certificate is working on my iPhone. This is just a very first test, but seeing it doing what it’s supposed to do is very satisfying. Nice.

Read more about the ideas at https://nerdcert.eu (which has a letsencrypt certificate ;)

Show threadJan Wildeboer 😷Jun 10, 2025

This topic has been occupying my brain cycles for quite some time now. It's already so deep down that I spontaneously sing "I am CA" to the Village People's YMCA song :) So it's time to share with you all and get more input. (CA is Certification Authority in x.509 lingo, I'll explain it all in my blog series :) (Why didn't #cacert think about this many years ago? Damn ;)

#nerdcert

Jan Wildeboer 😷Jun 10, 2025

Forcing myself to share my thoughts on x.509 certificates. Here's the introduction:

"x.509 certificates are boring. They're everywhere. They connect "things". Like browsers and websites. Like (micro)services. IoT (Internet of Things) devices. E-mail servers. Printers. They make (SSL/TLS) connections secure. Since many years. And they are, in my humble opinion, in trouble. Part One: Something's Brewing. Or, alternatively: Boring is Good But It can become Better."

Soon a blog post.

#nerdcert

Jan Wildeboer 😷May 23, 2025

Bought a third (refurbished) ThinkCentre M910q Tiny (i5-6500T, 16GB RAM, 256GB SSD, €115) to serve as a test bed for running an air-gapped CA (Certification Authority) with a Nitrokey HSM.

I might soon need to get the 9U or 12U 10 inch rack :)

#nerdcert