In continuing #Enterprise-Lab topic, now lets dig more about designing a #two-#tier security for the #network.
In designing area, the very initial step is consider #security #infrastructure. majority think to buy certificates and sign them by a public #CA (certificate authority) while it is mandatory for those services which shall be accessible by the internet customers and fully optional for internal use and #SBI #interfaces.
I agree having your own CA is challenging but perfectly possible.
My verified solution is as followed.
1- Offline #RootCA ---> a lightweight VM
2- Online #RootCA or lets call it #Intermediate CA ---> RaspberryPI 5
3- #TPM v2 for offline #RootCA #certificates
4- #YUBICO YubiKey 5 Nano as #HSM on intermediate CA
Then all mTLS certificates for SBI interfaces, TLS-base certificates for UI or any other WebGUI(s) could be signed by this #hierarchy. Additionally, SSH-base connection could use certificate instead of key.