0007 Offline root CA with YubiKey and SLIP-0039
Context
The homelab needs an internal PKI (mTLS, internal services), but an online root CA key — even in Vault — makes the cluster a single compromise away from total trust failure. Vault itself gets rebuilt/restored often enough that it shouldn't hold the root.
Decision
Generate the root CA in an offline ceremony (
pki/offline-root-ceremony.sh): the root key is anchored to a YubiKey, with backup material sharded via SLIP-0039 shares.Vault operates only the intermediate, imported as the active issuing CA (
terraform/vault/manages the mounts/policies).
Consequences
Compromise of the cluster or Vault caps out at the intermediate; revoke-and-reissue does not require re-rooting every trust store.
Issuing day-to-day certs is unchanged (Vault does it); only intermediate rotation requires a ceremony with the YubiKey.
Ceremony artifacts under
pki/export/are gitignored — keys and certs never land in the repo.Recovery depends on physical custody of the YubiKey and enough SLIP-0039 shares; losing both is unrecoverable by design.
Links
Linked references 2
ADR/0007 Offline root CA with YubiKey and SLIP-0039 — root stays offline; Vault runs the intermediate
The root CA was generated in an offline ceremony (pki/offline-root-ceremony.sh) anchored to a YubiKey with the key material sharded via SLIP-0039. Vault holds and operates the intermediate as the active issuing CA. See ADR/0007 Offline root CA with YubiKey and SLIP-0039.