ReactorCA: Homelab/SOHO Certificate Authority with Age Encryption and Deployment
Summary
ReactorCA is a robust Go CLI tool designed for managing a Certificate Authority in homelab or small-office environments. It streamlines the process of issuing, renewing, and deploying TLS certificates for internal services and devices. A key feature is its use of `age` encryption for securely managing private keys, simplifying certificate lifecycle management amidst increasingly shorter validity periods.
Repository Info
Tags
Click on any tag to explore related repositories
Introduction
ReactorCA is a command-line interface (CLI) tool written in Go, specifically tailored for setting up and managing a Certificate Authority (CA) within homelab or Small Office/Home Office (SOHO) setups. It addresses the growing challenge of managing TLS certificates for internal services, especially with modern browsers and CAs enforcing shorter certificate validity periods.
This tool simplifies the entire certificate lifecycle, from initial CA creation to issuing, renewing, and deploying host certificates. Its standout feature is the secure management of private keys using age encryption, allowing for configuration and CA stores to be safely version-controlled, for example, within a Git repository.
Installation
Getting ReactorCA up and running is straightforward. You can either download pre-built binaries or compile it from source.
Pre-built Binaries
The easiest way to install ReactorCA is to download the latest release for your operating system from the official GitHub releases page:
Build from Source
git clone https://github.com/serpent213/reactor-ca.git
cd reactor-ca
go build -o ca ./cmd/ca
Examples
Here's a quick start guide to demonstrate the core functionalities of ReactorCA:
1. Initialize Configuration
First, create the default configuration files:
ca init
ReactorCA intelligently detects your SSH keys to configure encryption, falling back to password-based encryption if no SSH keys are found.
2. Create CA Certificate
After customizing config/ca.yaml, create your self-signed CA:
ca ca create
Remember to install this root CA certificate on all client devices that need to trust your internal hosts.
3. Issue Host Certificate
To issue a certificate for a host defined in config/hosts.yaml:
ca host issue web-server-example
4. List Certificates
View all managed certificates and their expiration dates:
ca host list
5. Export and Deploy Certificates
ReactorCA allows flexible export and deployment. You can issue and deploy in one go:
ca host issue web-server-example --deploy
Or deploy independently after issuance:
ca host deploy web-server-example
For more detailed examples and advanced workflows, refer to the project's comprehensive documentation.
Why Use It?
ReactorCA stands out for several reasons, making it an excellent choice for homelab and SOHO environments:
- Simplified Certificate Management: It provides a "one-button" solution for reissuing and deploying certificates, crucial given the trend towards shorter certificate lifespans.
- Centralized Key Management: Unlike traditional CA flows that rely on Certificate Signing Requests (CSRs), ReactorCA manages all private keys centrally, simplifying operations.
- Strong Key Protection: Private keys are securely encrypted using the modern
ageencryption standard, supporting password, SSH key, and hardware token-based protection. This allows for safe storage of your CA store and configuration in version control systems like Git. - Modern and Efficient: Built with Go, it compiles into a single, statically-linked binary with no runtime dependencies, making it easy to deploy.
- Comprehensive Features: Includes certificate inventory, expiration tracking, flexible deployment scripts, and extensive X.509 extension configuration.
Links
- GitHub Repository: https://github.com/serpent213/reactor-ca
- Releases Page: https://github.com/serpent213/reactor-ca/releases
- Go Reference: https://pkg.go.dev/reactor.de/reactor-ca
- Age Encryption Project: https://age-encryption.org/