iheartkda.blogg.se - Usb c yubikey

Check status with timedatectl- make sure "NTP Service" is "active".

Set the timezone using timedatectl set-timezone America/Los_Angeles (or whatever your timezone is timedatectl list-timezones will list them all).

Set the hostname via hostnamectl set-hostname tinyca.

You can run arp -na | grep -e "b8:27:eb" -e "dc:a6:32" -e "e4:5f:01" to discover Raspberry Pi devices on the local network.

Fire up the Raspberry Pi, plug it into your network, and find its initial IP address.

On your laptop, burn the Ubuntu 22.10 Server 64-bit ARM pre-installed server image onto the microSD card using the Raspberry Pi Imager.

Part 1: System Setup Basic OS & Networking Setup

We'll be running the step-ca open-source online Certificate Authority.

A USB thumb drive-or a second YubiKey-for storing an offline backup of our CA.

Optional: Infinite Noise TRNG for outboard random number generation.Any YubiKey that supports the Personal Identity Verification (PIV) application, for CA signing operations.Raspberry Pi 4 Model B 2GB + microSD card.Still not convinced? Spin up a free hosted homelab CA using our Certificate Manager offering instead.Because setting up a simple CA is a great learning experience.Might as well formalize things and get your devices to trust a CA that you can use wherever you need it. Because maybe you've done the 'self-signed certificate' rigmarole with OpenSSL a dozen times already.Because the ACME protocol (used by Let's Encrypt) can easily be deployed internally, so you can automate renewal and never have to think about your certificates.Because TLS client authentication is becoming more widely supported in different services, and it's a lot better than passwords.Internal networks are no longer perceived as a safe zone where unencrypted traffic is okay. Because end-to-end TLS is great and you should easily be able to run TLS wherever you need it.

Why would I want a Certificate Authority in my homelab?! We'll also use an open-source True Random Number Generator, called Infinite Noise TRNG, to spice up the Linux entropy pool. The YubiKey will securely store the CA private keys and sign certificates, acting as a cheap alternative to a Hardware Security Module (HSM). It will be an internal ACME server on our local network (ACME is the same protocol used by Let's Encrypt). TL DR In this tutorial, we're going to build a tiny, standalone, online Certificate Authority (CA) that will mint TLS certificates and is secured with a YubiKey.