Go to file
Ketan Vijayvargiya e83366d03c Add first draft 2024-04-17 14:08:09 +00:00
config Add first draft 2024-04-17 14:08:09 +00:00
.env Add first draft 2024-04-17 14:08:09 +00:00
README.md Add first draft 2024-04-17 14:08:09 +00:00
compose.yaml Add first draft 2024-04-17 14:08:09 +00:00



This repository contains the code behidn my talk, TLS in the homelab: the easy way and the hard way, from LinuxFest Northwest 2024. More details here.



First, find a box and a domain. I did the following for the talk but there are numerous alternatives:

  • A cheap VM from Hetzner.
  • A free domain, wagondime.duckdns.org, from Duck DNS and pointed its IP addresses to the VM.

Second, install Docker and run docker compose up -d.

Step CA

Once you spin up the Step CA container, run docker compose logs step-ca and you'll see 2 lines like these:

step-ca-1  | 👉 Your CA administrative password is: ...
step-ca-1  | 2024/04/07 01:13:51 X.509 Root Fingerprint: ...

Hang on to the admin password as I don't think you'll be able to access it later. You can also note down the root fingerprint or regenerate it later by running:

docker compose exec step-ca step certificate fingerprint certs/root_ca.crt

Step CLI

Once Step CA is ready, setup the Step CLI on some client machine. (Just ensure that Step CA is accessible from whatever client machine you pick. You could use Tailscale, for instance. For the talk, I reused the same Hetzner box as the client, whcih is why you'll see localhost in the next command.)

Bootstrap the CLI:

step ca bootstrap \
    --ca-url localhost:9000 \

'whoami-1': Free certificate from Let's Encrypt

curl https://whoami-1.wagondime.duckdns.org

'whoami-2': Custom certificate from Step CA

First, get the root certificate on the client:

step ca root root_ca.crt


curl --cacert root_ca.crt https://whoami-2.wagondime.duckdns.org

'whoami-3': Custom certificate from Step CA, with mTLS

First, get a client certificate on the client:

step ca certificate \
    demo client.crt client.key \
    --ca-url=localhost:9000 \

Optionally, if you want to import the client certificate into an iOS or macOS certificate store, convert the 2 files to p12 format:

step certificate p12 --legacy client.p12 client.crt client.key

The following should now work:

curl \
	--cert client.crt \
	--key client.key \
	--cacert root_ca.crt \