For my personal home infrastructure I’ve been using step-ca to have an internal ACME server for issuing TLS certificates for my .home.arpa domain. I also intended to use this to sign ssh certificates so I could simplify my SSH key setup. And i really like hardware bound keys. They solve a very concrete problem where even if someone can extract a signing key from your system, they are effectively useless without access to the hardware they where bound to. This hardware could be something like a yubikey, or another FIDO device. But in 2026 most of our machines have a Trusted Platform Module (TPM) that functions as a free hardware enclave we can use to secure our keys with. I have written two projects that helps with this for general purpose software. age-plugin-tpm implements a TPM backed encryption keys for the age encryption software, and ssh-tpm-agent that allows you to have ssh keys created by the TPM and utilized through the generic ssh-agent protocol. Which is why I got super excited when I saw that step-ca actually supports “ACME for device attestation”! device-attest-01 What step-ca supports is a new ACME challenge called device-attest-01. ACME currently supports several different challenges that enables you to prove the identity of a domain. The two most popular challenges is http-01 that doesn’t an HTTP challenge, and dns-01 that does a DNS challenge. device-attest-01 proves the identity of a device by using attestation and having a trusted CA sign these statements for authenticity. Others have explained device attestation far better then me, but the general idea is to have some hardware enclave, that we deem trustworthy, which signs statements about the integrity and authenticity of a device. The ACME server then issues a certificate to the device that attests to the identity of this device. That means we can use the TPM to create keys and issue certificates to our machines bound by the identity. https://datatracker.ietf.org/doc/draft-ietf-acme-device-attes...
First seen: 2026-03-21 22:43
Last seen: 2026-03-23 09:01