Yeah, client cert auth is not possible without HTTPS.
You can turn on Caddy’s internal cert issuer though, so you get Caddy to generate and maintain “essentially self-signed” server certs (Caddy will generate its own local CA which it can use to generate certificates to use for HTTPS, but those won’t be trusted by browsers since the root CA cert won’t be in their trust store – you can install Caddy’s root CA cert in their trust stores though)
Right, so that again depends on how the client certs will be generated and managed.
But in this case, those options are what tells Caddy what client certificates to trust.
If you’re using a managed CA to issue the client certs, then you’d use the trusted_ca_cert option, so Caddy can verify that the client cert was signed by that CA.
If you’re issuing one-off leaf certs, you can list them out in Caddy’s config one by one (leaf is the individual certs that are issued to clients, think of the “root” cert as the tree trunk which spawns of branches/leaves).
It’s probably easier in the long run to give Caddy the CA cert, so you don’t need to change Caddy’s config and reload every time you revoke or issue a new cert.