I have considered this as the most viable of all my options. But theres still the issue with distributing my root certs to my mobile devices.
On the other hand, I have a freeIPA server running - for DNS and LDAP - that could theoretically also act as a CA, so I could generate my own certs and import the root cert on my devices. That’s nice for desktops and laptops, but with mobile devices, this seems like a lot of tinkering, which - again - I’d like to avoid.
Use vault as a CA and support ACME protocol for Cert manager and is quite easy to use. The documentation is straight forward
I have considered this, but this brings me back to same issue as with FreeIPA:
On the other hand, I have a freeIPA server running - for DNS and LDAP - that could theoretically also act as a CA, so I could generate my own certs and import the root cert on my devices. That’s nice for desktops and laptops, but with mobile devices, this seems like a lot of tinkering, which - again - I’d like to avoid.
I’d have to rolly my certs out to all my mobile devices, which doesn’t sound fun at all.
Probably something compact with a punch. Like a 3-node hci cluster of 1U servers with a terabyte or two of ram and a couple of terabytes of NVMe Storage. Then some networking capable of NVMe speeds and some nice supporting infra like dedicated firewall-, backup- and monitoring appliances. All on a UPS and a generator for emergencies. Also a climate controlled environment to put them in.
After tinkering for a few days I think I finally found the best comnpromise for my setup.
I’m using my public DNS (at cloudflare) to deploy the DNS challenge txt entries, to then issue certs using cert-manager and certbot.
This is security wise not the best solution because all these DNS entries are public, so mapping my internal infrastructure would be somewhat possible, but since it’s a homelab I’m not too concerned about this attack vector.