Ok, so I think I’ve figured out what I was doing wrong. The user.crt and user.key files are not the right format for Safari or Firefox. I had to create a .p12 file and import that.
This was done with openssl pkcs12 -export -in user.crt -inkey user.key -name user > user.p12
Edit: Just found this can be done with step using step certificate p12 user.p12 user.crt user.key
For future travelers, here’s the steps I took using step and openssl.
Create CA and generate root cert
# initialize a local ca
$ step ca init
# locate root certs
$ ls ~/.step/certs/
intermediate_ca.crt root_ca.crt
Configure Caddy
In Caddyfile example above, set trusted_ca_cert_file "/path/to/root_ca.crt"
Generate client cert
Since auto updating client certs on your phone is not an option, you’ll want a longer than 24h expiration. I set mine to 1 year. (365*24=8760)
Open .step/config/ca.json and add the following to the “authority” block
"claims": {
"maxTLSCertDuration": "8760h"
},
Now you can generate the actual cert for a user
# generate user cert (uses password from CA initialization)
$ step ca certificate --offline --not-after=8760h "myuser" myuser.crt myuser.key
# this can be used directly by curl using
$ curl --cert ./myuser.crt --key ./myuser.key https://auth_test.caddy
# generate p12 for Safari and Firefox
$ step certificate p12 ./myuser.p12 ./myuser.crt ./myuser.key
Finally, manually import ./user.p12 into client