So you have more Yubikeys than sense? Great, me too! Let’s make a multi-tier certificate authority!

By the end of this article, we’ll have a fully-functioning two-tier CA where the private keys for the CAs are stored on Yubikeys. In addition, we’ll make sure that we generate the private keys directly on the Yubikeys for zero chance of key compromise. All keys will be elliptic-curve (ECC), and–barring mistakes on my part–the CA should fully adhere to RFC 5759, NSA’s Suite B Certificate and Certificate Revocation List (CRL) Profile.

Sometimes I just want to name things the way I deem fit. Pocket, back when they were called “Read It Later”, used to include this functionality. Somewhere along the way, Pocket decided to remove that feature in preference to augmenting their product to do a really good job of figuring out what an article’s title should be. However, there are still many times that it would be helpful to have the ability to manually rename an article. I’ll detail some problematic articles below, with screenshots.

I’m playing with ZFS on Linux using Debian jessie (and eventually stretch). I decided I really wanted to use ZFS for everything, including /boot/grub and swap space. In addition, I wanted to boot using UEFI. This is how I did it.

It’s taken quite a while, but I have replaced my home server’s OS with SmartOS. (It was previously running Windows with Hyper-V. Look for a future blog post about the migration in general.) With the previous layout, I had a single Linux guest called “nas” that was my file server, but did triple-duty running Plex and the CrashPlan client as well. After migrating most of my other Hyper-V guests to OS zones where possible, it was time to tackle getting a CrashPlan zone going. Unfortunately, Code42 retired Solaris as a supported platform a while back. However, since it’s “just Java”, I figured the Linux package might work in an LX-brand zone. Turns out, it works quite well–with one minor caveat.