It’s really not? I wasn’t suggesting the Smallstep CA service, I was suggesting their step CLI program. Single binary to run, easy to get via that link or via a container.
I actually thought this would simplify the whole troubleshooting process (explained in a latter section). I was not expecting OP to sink time into YT videos on Smallstep CA 
While my response was a tad verbose, the intent was to provide ample commentary and doc links for additional context, and there was no expectation/requirement to understand the advice too deeply beyond the instructions given.
Simple - Only 3 straight-forward commands to run
Using Smallstep the way I showed above is only 3 commands.
step-cli certificate create(create a root cert)step-cli certificate create(create a leaf cert)step-cli certificate install(install the root cert to the trust store, akacaddy trust)
step-cli certificate create 'Smallstep Root CA' ca-cert.pem ca-key.pem \
--profile root-ca --no-password --insecure
step certificate create 'Smallstep Leaf' cert.pem key.pem \
--ca ca-cert.pem --ca-key ca-key.pem \
--profile leaf --no-password --insecure --san 'example.com'
step-cli certificate install ca-cert.pem
Followed by replacing the tls internal directive in their Caddyfile to use tls /path/to/cert.pem /path/to/key.pem instead.
Misunderstandings due to similar named product from Smallstep
The assumption was that this would be a far more transparent approach for troubleshooting by provisioning and configuring the cert files manually (which as can be seen above is very simple).
Once they have that working, they could go back to their implicit Caddy managed setup for certs, and if there was any remaining issues with that, troubleshooting should at least be easier via comparing a working explicit config.
Clearly I made a mistake here with my advice?
I don’t believe I directed anyone towards Smallstep CA, but only the step-cli command (with a download link and doc links), yet both of you got the impression I was referring to the full CA service.
Docker Compose
For those comfortable with Docker Compose, here is a single compose.yaml file that you can copy/paste to run via a container to create the certificates.
# Run this with `docker compose run --rm get-certs`
services:
get-certs:
image: smallstep/step-ca
# Your new cert files will be provisioned into this local `certs/` folder:
volumes:
- "./certs/:/tmp/certs/"
# non-root (1000:1000) by default, change to the UID/GID of your `certs/` dir:
user: root
# Everything below is container specific:
working_dir: /tmp/certs
entrypoint: /tmp/generate-certs.sh
configs:
- source: generate-certs
target: /tmp/generate-certs.sh
# Make script executable:
mode: 0500
# NOTE: The `smallstep/step-ca` container provides `step-cli` as `step` instead
configs:
generate-certs:
content: |
#!/usr/bin/env bash
step certificate create 'Smallstep Root CA' ca-cert.pem ca-key.pem \
--profile root-ca --no-password --insecure
step certificate create 'Smallstep Leaf' cert.pem key.pem \
--ca ca-cert.pem --ca-key ca-key.pem \
--profile leaf --no-password --insecure --san 'example.com'
NOTE:
- The example uses the compose feature
configs(instead ofvolumes) to embed the shell script into the samecompose.yamlfile. Thus the Docker Compose version must be a release from at least 2024. - The example only covers the first two
step-clicommands to provision certs, since it’s containerized it’s not really ideal for updating a trust store?
I didn’t share this originally as I thought it would only add to any potential confusion (given the image name), even though it’s a simple copy/paste + single command to run.