ACME device attestation, smallstep and pkcs11: attezt
Summary
The post details using step-ca for internal TLS with device-attest-01 to attest devices via TPM endorsements, enrolling EK hashes, and provisioning a PKCS11-accessible TPM-backed key via attezt, attezt-agent, and atteztd. It walks through setting up a local attestation CA, provisioning, generating device certificates, and using PKCS11 to access TPM keys for mTLS with nginx, plus a note on SSH certs and future work.