Fedora package for step-ca from smallstep

rlengland · March 26, 2026, 10:06pm

NOTE: This is a transferred article from

Author: sdgathman

Article proposal: I am testing a Fedora package for step-ca from smallstep. The company offers a company repo, that tries to support Fedora but this will be a native Fedora package. Once the package is accepted (still waiting on yggdrasil-network to be reviewed), I planned to submit on article on the Evil TLS Cabal that can MITM your browser connections since mainstream browsers trust their CAs for absolutely everything by default.
I noticed when submitting the yggdrasil-network package that Fedora auto generates a COPR build for each SRPM submitted. (Great feature.) So the article could actually happen before the step-ca package is accepted. I’ve seen other articles talk about COPR packages.
After the conspiracy stuff in the intro, the article will be about running your own private TLDs, how easy it is with the smallstep, httpd/nginx and acme-tiny packages in Fedora, and why Big Corps do it for their own internal infrastructure. The audience is self-hosters using Fedora, and why they (alone or in conjunction with friends) should have their own TLD, DNS servers, and ACME CAs supporting it (along with the ICANN/Cabal TLDs and certs used by normies).

Unsolved problem is limiting trust for CAs by mainstream browsers. Apart from the TLS cabal, if strangers load your CA and the browser trusts it for everything (rather than just the private TLDs it is for), then you can MITM all their connections, just like the TLS cabal CAs! I get all kinds of answers along the lines of RFC5280 (x509 extensions limiting authority) - but those all assume complete trust in the loaded CAs. Note that the TLS cabal itself sounded this alarm when they stopped certifying .RU domains and Russia set up their own national CA. There should be a way to trust the Russian CA only for .RU domains.

I have read and understand the Ai-Assisted Contributions Policy

For Editor Use Only

Editor: glb

Image Editor: rlengland

Publication Date: 4/1/2026

Preview Link: Make a private CA with step-ca - Fedora Magazine

Topic		Replies	Views
HowTo: Install Fyra Lab's "Terra" repository on traditional and atomic Fedora Ask Fedora flatpak , howto , rpm-ostree , repo , dnf , coreos , server , workstation , 3rd-party-software , unsupported	10	6237	November 28, 2025
Make firefox (flatpak) trust a certificate that fedora trusts Ask Fedora flatpak , ca-certificate , firefox , desktop , silverblue	2	2659	December 26, 2020
Building Firefox stable + ESR in COPR and consume it in Torbrowser and Thunderbird Flatpak? Ask Fedora wayland , flatpak , firefox , security , thunderbird , f39 , copr	1	547	January 28, 2024
Unable to connect to eduroam on Fedora 43 Ask Fedora wifi , eduroam , f43	27	839	January 24, 2026
Provide firefox as flatpak The Water Cooler tech-talk	28	2537	July 4, 2025

Fedora package for step-ca from smallstep

Related topics