Certwarden as a CA?

topcoffee4272

Hi there still trying to understand the app so far its been a lot of learning and trying to figure things out. Managed to create some certs setup with the cloudflare provider for idrac but that's about as far as I got so far.

I recently started working on a project in my homelab that requires a trusted self-signed certificates. Is this something that certwarden can provide? I am attempting to deploy Minio with a KES backend and need a cert that's trusted similar to what you would get from a CA.

This certificate needs to be signed for localhost / the ip of the system not mydomain.com. The problem i have run into is that if I use a self-signed certificate its by default its untrusted by the minio docker container regardless of if I trust the certificate on the local host.

Would this be something that Certwarden can do? Act as a CA for self-signed certificates to make them trusted by default? If so How do I go about doing so? Sorry if this is a stupid question. PKI is something I am not to familiar with.

gregtwallace

Cert Warden is generally used with a public CA. Public CAs will only sign certificates for public domains you control. This would not include something like localhost.

It is possible to roll your own CA and also user Cert Warden, but this is almost certainly not what you want (and adds complexity).

You're probably looking to create your own CA using something like openssl, but you would have to manually add the CA to every device's root trust store, otherwise you'll see trust errors.

Tl;dr:
Public CA: All devices will trust your certificates, but you are limited in the domains you can get certificates for.
Self-Signed CA: Get a cert for any domain you want, but your devices won't trust them unless you manually add the CA to each device's trust store.

topcoffee4272

gregtwallace Ah ok what about integrating it with a HSM? I have a yubiHSM2. From what I read about it this can be configured to act as a CA to sign certs. Would it be possible to integrate with that? Again sorry if this an obvious question.

gregtwallace

Sorry, I'm not familiar with doing that.