Building your own CA infrastructure on cheap HSMs
Practical HSMs are cheap, and you just don’t know it. Government adoption of PIV and CAC has driven prices of PKCS#11 devices down, and you don’t need an expensive enterprise HSM for your offline root signing key.
Further, widespread support for Name Constraints on Trust Anchors has finally arrived - So you can deploy a private CA to your client devices without affecting the public roots of trust, making it safer than ever to run your own PKI.
This workshop will be a walk through in setting up a full solution for generating a CA contained on a Yubikey, issuing intermediates used for online signing, and distributing said certificates to applications and end-user devices.