Julien RiouAchievement unlocked 🔓
My homelab has now valid internal TLS certificates automatically renewed by certbot on a step-ca server.
Step CA configured with PostgreSQL backend and the ACME provider in my homelab. Clients trust the CA. Next steps: configure certbot and add monitoring to check certificates expiration.
I have been managing my own CA for NRPE and OpenVPN by hand but I always forget how to (re)generate the certificates. I'll give step-ca a try this weekend and follow the @jwildeboer blog post https://jan.wildeboer.net/2025/07/letsencrypt-homelab-stepca/
#homelab #selhosting #stepca
#homelab #selhosting #stepca
Be the LetsEncrypt in your homelab with step-ca
So you have a Cute Homelab and you want to use it to secure your services and containers with x509 certificates? But your homelab isn’t on the internet, so you can’t simply use LetsEncrypt? Well. You can become your own LetsEncrypt and hand out certificates with certbot. You “just” need to run your own CA (Certificate Authority). Sounds frightening and complicated? It kinda is, but not really when you use step-ca, an open source solution that you can run in a container.
Daniel S. ReichenbachMy new homelab has progressed. I now have SmallStep CA running, with ACME enabled, and InfluxDB 3 with Grafana.
Its not much but it is a start.
der Marko 🚲🏃♂️Es war am Ende eine härtere Nuss, als gedacht, aber mein Heimnetz hat jetzt eine eigene CA auf Basis von #stepca , #caddy läuft als Reverse Proxy und wickelt das Zertifikatshandling automatisiert für die im #homelab laufenden Dienste ab.
Eine Grundlage, die ich schon länger habe wollte, aber mir nie die Zeit genommen habe, tiefer einzusteigen und das einmal ordentlich aufzusetzen.
Next up: Backups machen und dokumentieren, was ich getan hab.
Sam Lehman 
@Larvitz How is Step CA? Are you coming from another CA solution?
Been thinking about running #stepca in my #kubernetes cluster, but have been apprehensive because of how many features seem to be gated behind smallstep's proprietary version. Would love to have this integrated with #certmanager and using the #tpm on my nodes. Was going to do a rearchitecting of my entire #auth and #cryptography stack when I switch from the deprecated #Ingress API to the #GatewayAPI
Larvitz 
What a project. Did configure StepCA in my home-lab with a real physical HSM for the CA's private key. Using a SmartcardHSM (https://www.smartcard-hsm.com) from CardContact Systems.
Now I have acme (automated cert provisioning) working internally as long as the HSM is plugged into my server.
All running in an isolated FreeBSD 15-RELEASE jail (StepCA compiled from source with added PCSC-Lite support and usb device passed through by devfs rules).
Yay! It works!
#freebsd #stepca #devops #acme #certificates #tls #smartcard #hsm
Jan Wildeboer 😷
When all parts come together ;) I now have S3 compatible storage with #garage in my homelab, using #nginx as reverse proxy and secured with a certificate from my own #StepCA based CA (Certificate Authority) that gets auto-renewed by #certbot. And this all works without any internet connection, as I also have a DNS server for my home network with the correct CNAME entry for s3.
André🤔 Laut Übersicht unterstützen sowohl #Nitrokey3 also auch #NitrokeyHSM2 #PKCS11. Auf denm verlinkten Datenblättern stehen auch vergleichbare Zeiten für Signaturen
Brauche ich nun für eine #homelab #stepca (smallstep-ca) den HSM key oder reicht der normale Key?