I am creating a self-hosted CA for my internal home network as a hobby project and to learn something new. I'm using Smallstep's open-source step-ca
and step
CLI.
After creating the CA, the next step is to, of course, get the root_ca.crt
onto my devices that will be interfacing with it. Smallstep documentation provides two methods of doing so (bolding is mine)
If you are using your certificate authority for TLS in production, explicitly configuring your ACME client to only trust your root certificate is a better option. You will see how this method works with an example below. You can find several other examples here.
If you are simulating Let’s Encrypt in pre-production, installing your root certificate is a more realistic simulation of production. Once your root certificate is installed, no additional client configuration is necessary.
I find these two paragraphs a little at odds with each other. The first option is "better" but the second is "more realistic".
Why is configuring the ACME client to only trust my root certificate the better option?
Example using certbot
: sudo REQUESTS_CA_BUNDLE=<path to root certificate> certbot certonly -d <domain> --server <URL of my CA>