Generating client certificates

haarts · February 14, 2023, 10:27am

1. Caddy version:

2.6.3

2. How I installed, and run Caddy:

$ pacman -Syu caddy
$ caddy

a. System environment:

Arch, still in the development phase. I’ll probably run it on the latest Ubuntu LTS with systemd.

b. Command:

$ caddy

c. Service/unit/compose file:

n/a

d. My complete Caddy config:

n/a

3. The problem I’m having:

I want to have subdomains for each of my customers, that is no problem. A wildcard server certificate with DNS challenge is easy.
But I want my customers to authenticate with a client certificate. That client certificate is issued by my software and immediately trusted by Caddy. I have read client_authentication, and I need to use trusted_ca_certs. That way any client cert signed with the CA cert pointed to here would be trusted (correct right?).

What I’m not clear on is:

What the value of that trusted_ca_certs needs to be. I assume it is generated by Caddy on first start or something?
How do I use that trusted_ca_certs value and generate, on the fly, new client certificates? This seems out of scope? But another post on this forum suggest something like an ‘internal cert issuer’, but I can’t find how that would work.

Thank you in advance for any pointers you might have for me.

4. Error messages and/or full log output:

n/a

5. What I already tried:

Read the docs.

6. Links to relevant resources:

See the hyperlinks in the question (I can’t repeat them here b/c a new user can’t add more than 4 links).

francislavoie · February 14, 2023, 10:53am

It’s one (or more) certificate (usually root, can be intermediate) that signed certificates that you want to trust. Paths to files.

It’s not. Caddy doesn’t generate client certs. That’s something you’ll need to manage yourself. You can use Smallstep’s CLI tooling to do this. Generate a CA with Smallstep, then give point Caddy to the root CA cert to trust client certs signed by that CA.

Correct, client cert automation doesn’t exist yet, except for reverse_proxy’s tls_client_auth which can be configured to automate for use in proxy connections, but that’s not what you’re asking for.

Caddy can manage CAs internally to issue certificates, but it’s only really usable for server certificates right now. There’s no tooling in place for using it to issue client certs. That’s what the issue you linked is about.

Caddy can act as an ACME server for (usually) another Caddy server to use as a CA, to establish mutual TLS between those Caddy servers (e.g. a front Caddy acting as a load balancer to multiple backend Caddy servers).

haarts · February 14, 2023, 8:20pm

Thank you so much! This gives me plenty of handles to explore further. That Smallstep looks interesting.

Thanks again for your time and great pointers.

system · March 16, 2023, 8:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.