Hi! For this post I developed a smooth and secure mutual TLS workflow for authenticating to a homelab.
It combines:
- a TLS client certificate and hardware-bound private key stored on a YubiKey (using the YubiKey PIV application)
- ACME device attestation (using the new device-attest-01 ACME challenge type, added in 2022 and introduced in iOS 16)
- Recent improvements in browser support for client certificates and smart cards
The result: You can plug the YubiKey into a laptop or mobile device anywhere in the world, pop open a browser, and go directly to your homelab. Most browsers will pick up the client certificate from the YubiKey and you'll authenticate with one click.
I work at Smallstep and this project uses our open source step-ca Certificate Authority, plus a Caddy server as a reverse proxy for homelab apps.
It combines:
- a TLS client certificate and hardware-bound private key stored on a YubiKey (using the YubiKey PIV application)
- ACME device attestation (using the new device-attest-01 ACME challenge type, added in 2022 and introduced in iOS 16)
- Recent improvements in browser support for client certificates and smart cards
The result: You can plug the YubiKey into a laptop or mobile device anywhere in the world, pop open a browser, and go directly to your homelab. Most browsers will pick up the client certificate from the YubiKey and you'll authenticate with one click.
I work at Smallstep and this project uses our open source step-ca Certificate Authority, plus a Caddy server as a reverse proxy for homelab apps.