What a project. Did configure StepCA in my home-lab with a real physical HSM for the CA's private key. Using a SmartcardHSM (https://www.smartcard-hsm.com) from CardContact Systems.
Now I have acme (automated cert provisioning) working internally as long as the HSM is plugged into my server.
All running in an isolated FreeBSD 15-RELEASE jail.
Yay! It works!
#freebsd #stepca #devops #acme #certificates #tls #smartcard #hsm
@Larvitz Interesting! Will you be blogging about it? (Asking for a friend)
@voipmeister I'll add it to my list :)
@Larvitz How is Step CA? Are you coming from another CA solution?
Been thinking about running #stepca in my #kubernetes cluster, but have been apprehensive because of how many features seem to be gated behind smallstep's proprietary version. Would love to have this integrated with #certmanager and using the #tpm on my nodes. Was going to do a rearchitecting of my entire #auth and #cryptography stack when I switch from the deprecated #Ingress API to the #GatewayAPI
@Lehmanator StepCA is pretty lightweight. The PKCS#11 integration was a bit finicky but it does work reliably.
I used xCA before and Step is way better for automation, as it has the provisioners like ACME and the Step cli client.
I’ve only installed it yesterday, but so far, I like it. I also have it integrated with CertManager on my OpenShift cluster and it’s working fine to provision certs.
HashiVault is probably more powerful, but also way more complex to maintain.
@Larvitz I was also looking into Vault, especially because you can use it to encrypt k8s secrets, but I remember seeing something about Hashicorp pulling some BS wrt open source, so I am hesitant to make their products core to my infra. Open core in general always susses me out.
The two biggest still unmade decisions are CAs and IDPs. Leaning towards step since I can easily do TLS, PKCS11, & SSH certs and integrate with cert-manager via ACME. Glad to hear it is working well for you so far!
@Lehmanator You might want to look at OpenBAO (https://openbao.org). That's a fork of Vault, that is truly open source and developed independently by the OpenSSF under a Mozilla Public License.
@Larvitz Will definitely have to consider this.
Also reminded me that it was the whole ordeal with Terraform / OpenTofu that was what soured me on using Hashicorp products.
@Lehmanator @Larvitz I was wondering the same thing. I have many Yubikeys which I stress endlessly about losing. Why SmartCard HSM instead?
@alison @Lehmanator Yubikey is more intended for client authentication.
HSM is for a certification authority she has more internal storage for certificates and has features that are for that kind of enterprise use (KeyShares/PBE for backups etc).
You can run a CA with a yubikey, but the HSM is a device, specifically designed for that use case
