Hi! For this post I developed a smooth and secure mutual TLS workflow for authenticating to a homelab.<p>It combines:<p>- a TLS client certificate and hardware-bound private key stored on a YubiKey (using the YubiKey PIV application)<p>- ACME device attestation (using the new device-attest-01 ACME challenge type, added in 2022 and introduced in iOS 16)<p>- Recent improvements in browser support for client certificates and smart cards<p>The result: You can plug the YubiKey into a laptop or mobile device anywhere in the world, pop open a browser, and go directly to your homelab. Most browsers will pick up the client certificate from the YubiKey and you'll authenticate with one click.<p>I work at Smallstep and this project uses our open source step-ca Certificate Authority, plus a Caddy server as a reverse proxy for homelab apps.