2025-08-04 –, Emerald
Practical HSMs are cheap, and you just don’t know it. Government adoption of PIV and CAC has driven prices of PKCS#11 devices down, and you don’t need an expensive enterprise HSM for your offline root signing key.
Further, widespread support for Name Constraints on Trust Anchors has finally arrived - So you can deploy a private CA to your client devices without affecting the public roots of trust, making it safer than ever to run your own PKI.
This workshop will be a walk through in setting up a full solution for generating a CA contained on a Yubikey, issuing intermediates used for online signing, and distributing said certificates to applications and end-user devices.
This workshop teaches people to create their own Root Certificate. The key is stored on a Yubikey. The certificate includes name constraints suitable for including in a system trust store, both in your k8s pods and user devices.
We then mint further name-constrained certificates used as online intermediates for each of user identity and pods. These intermediates can be stored online, or stored on their own HSMs.
Ted Hahn is an experienced Site Reliability engineer who previously worked at Google, Facebook, and Houseparty. He currently works as an independent consultant helping startups do cloud.
