readme.md

@@ -3,28 +3,26 @@
 A certificate authority for the HomeLab.
 
 The setup was mostly done by following these two guides:
-
-- [Jamie Nguyen's OpenSSL CA guide](https://jamielinux.com/docs/openssl-certificate-authority/introduction.html)
-- [Mour's](https://github.com/mylamour) [blog post Jamie's guide using an HSM](https://github.com/mylamour/blog/issues/80)
+* [Jamie Nguyen's OpenSSL CA guide](https://jamielinux.com/docs/openssl-certificate-authority/introduction.html)
+* [Mour's](https://github.com/mylamour) [blog post Jamie's guide using an HSM](https://github.com/mylamour/blog/issues/80)
 
 ## Notes of precaution
 
-- The root key is a yubikey kept in a physical vault at a bank in Switzerland.
+* The root key is a yubikey kept in a physical vault at a bank in Switzerland.
+* All signings are done on an airgapped machine in a live-boot environment.
+* This repo is transferred on and off the signing machine with a regular usb drive.
 
 ## Setup
 
 ### Required Software
 
-- OpenSSL
-- libp11
-- [YKCS11](https://developers.yubico.com/yubico-piv-tool/YKCS11/)
-  - [AUR Link](https://aur.archlinux.org/packages/ykcs11-p11-kit-module)
+* OpenSSL
+* libp11
+* [YKCS11](https://developers.yubico.com/yubico-piv-tool/YKCS11/)
+  *[AUR Link](https://aur.archlinux.org/packages/ykcs11-p11-kit-module)
 
 **macOS note:** openssl installed via homebrew does not pickup on libp11, you need to manually copy the pkcs11 library (update the versions):
-
-```sh
-cp /opt/homebrew/Cellar/libp11/0.4.12/lib/engines-3/pkcs11.dylib /opt/homebrew/Cellar/openssl@3/3.2.1/lib/engines-3/
-```
+`cp /opt/homebrew/Cellar/libp11/0.4.12/lib/engines-3/pkcs11.dylib /opt/homebrew/Cellar/openssl@3/3.2.1/lib/engines-3/`
 
 ### Environment Variables