Offline PKI using 3 Yubikeys and an ARM single board computer

This is a really neat solution, as finding a really good enterprise-y solution that meets the needs for hardware encryption, offline ca's, all that good stuff is really hard to find that doesn't suck. Active Directory Certificate Services has long been the defacto for windoze shops still, but a security nightmare, and most every 3rd party solution really isn't much better, not to mention stupidly expensive. Almost all are tailored toward replacing ADCS, but do so in hardly "good" ways.

I'm helping a customer test Yubikey HSM2's to bootstrap an enterprise PKI, this is both cheaper and better for all the normal Yubikeys, SBC, and a nice open solution to make use of them. I really wish I saw this a few months ago.

It's a shame it's 2025 and still so elusive to find good PKI solutions out there for both big and small businesses. This sort of project keeps some hope alive!

This is a pretty nice guide, though it misses some steps I'd consider important. If you're making a CA for internal use today, I would highly encourage you to use Name Constraints. Name Constraints allow you to specify that your CA will only be used to sign domains you pre commit to. This means you can add your internal CA to your system trust stores on all of your corporate systems and not worry about it being abused to MITM your employees connections to the wider internet. (If that is a feature you'd like to have, I would be happy to expound further on why that's a bad idea)

I'm giving a workshop in a few weeks at Bsides Seattle[1] about this - Pick up a Yubikey and come play with PKI with me.

[1]https://www.bsidesseattle.com/2025-schedule.html