Home Assistant Add-on: step-ca-client
About
This is a step-ca client add-on for Home Assistant.
It manages the automatic creation and renewal of x509 certificates from a
remote step-ca PKI server, in order to enable TLS/SSL connections in
Home Assistant and the installed addons.
Here is a quick-start guide on how to setup step-ca.
With a Yubikey you can even set up setup a hardware based, local PKI.
Read the full add-on documentation
Installation
The installation of this add-on is pretty straightforward and not different
compared to installing any other Home Assistant add-on.
-
First you will need to add the repository to your add-on store with the
following button: -
Click on add to complete adding the repository.
-
Click the Home Assistant My button below to open the add-on on your Home
Assistant instance. -
Click the “Install” button to install the add-on.
-
Configure the add-on in the configuration tab.
-
Start the “step-ca-client” add-on.
-
Check the logs of the “step-ca-client” add-on to see it in action.
Configuration
You will need a one-time token generated with step ca token
to issue the
certificate, and to keep the addon always running so it renews the certificate
automatically (enable “Start on boot” and “Watchdog” on the
[addon configuration page][addon-config]).
Note: Certificates in step-ca have short lifetimes, usually 24 hours, if the addon
is not running and the certificate expires, you must manually generate
a new one-time token.
The certificate lifetime is dictated when creating the token. It will use the
default provisioner lifetime. You can change it with step ca provisioner update <provisioner-name> --x509-default-dur=<duration>
before generating the token, but keep in mind [the design decisions of step-ca][passive-revocation].
Example add-on configuration:
ca_url: https://tinyca.internal
root_ca_fingerprint: "d9d0978692f1c7cc791f5c343ce98771900721405e834cd27b9502cc719f5097"
token: "692f1c7cc791f5c343ce987d9d0978692f1c7cc791f5c343ce98692f1c7cc791f5c343ce987"
subjects:
- homeassistant.local
- mqtt.local
keyfile: privkey.pem
certfile: fullchain.pem
key_type: RSA
log_level: info