[tashian]

Hi! For this post I developed a smooth and secure mutual TLS workflow for authenticating to a homelab.

It combines:

- a TLS client certificate and hardware-bound private key stored on a YubiKey (using the YubiKey PIV application)

- ACME device attestation (using the new device-attest-01 ACME challenge type, added in 2022 and introduced in iOS 16)

- Recent improvements in browser support for client certificates and smart cards

The result: You can plug the YubiKey into a laptop or mobile device anywhere in the world, pop open a browser, and go directly to your homelab. Most browsers will pick up the client certificate from the YubiKey and you'll authenticate with one click.

I work at Smallstep and this project uses our open source step-ca Certificate Authority, plus a Caddy server as a reverse proxy for homelab apps.