How to configure Caddy with internal intermedia CA signed by AD CS?

ygini · October 27, 2022, 3:14pm

Hello

1. Output of `caddy version`:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

systemctl start the service

a. System environment:

Ubuntu Focal

b. Command:

caddy reload --config /etc/caddy/Caddyfile

d. My complete Caddy config:

  {
  	pki {
  		ca internalca {
  			name "Caddy Intermediate CA"
  			root {
  				cert /etc/caddy/caddy.crt.pem
  				key /etc/caddy/caddy.key.pem
  				format pem_file
  			}
  		}
  	}
  }
  
  https://portainer.corp.example.com {
  	reverse_proxy https://pilot.corp.example.com:9443
  }

3. The problem I’m having:

I’m simply trying to setup Caddy to use an intermediate CA signed by our AD CS.

The key and cert are already existing and signed

We are using Caddyfile so far

And I cannot find any complete documentation about:

how to completely configure Caddy TLS to use a specific keypair
how to automated TLS in Caddyfile and not in JSON

5. What I already tried:

I’ve read what I could mixing some doc using the JSON format, some others the Caddyfile one. Documentation related to both format don’t always present the same options…

So my question as someone who started to use Caddy 2 hours ago is: what am I supposed to do to run a pretty classic and simple config for internal use with Caddy having its own Intermediate CA signed by AD CS?

francislavoie · October 27, 2022, 11:40pm

You’ll need to enable the internal issuer for your site to make it use the CA you configured.

{
	pki {
		ca internalca {
			name "Caddy Intermediate CA"
			root {
				cert /etc/caddy/caddy.crt.pem
				key /etc/caddy/caddy.key.pem
				format pem_file
			}
		}
	}
}
  
https://portainer.corp.example.com {
	tls {
		internal {
			ca internalca
		}
	}
	reverse_proxy https://pilot.corp.example.com:9443
}

If you don’t give a name to your custom CA (i.e. leave it default) then you can shorten the config in your site to just tls internal.

Or you can use the local_certs global option to make all sites use the default internal CA.

ygini · October 28, 2022, 6:13am

Thanks! It’s getting better!

Additional question: how should I add the CA chain? My /etc/caddy/caddy.crt.pem was supposed to be the Caddy CA, actually it create another intermediate one create by that intermediate. Why not.

But how can I add here the public key (only) of my Root CA (the AD CS one) to add to the chain?

Or is it possible to do something like that?

			root {
				cert /etc/caddy/adcs.crt.pem
			}
			intermediate {
				cert /etc/caddy/caddy.crt.pem
				key /etc/caddy/caddy.key.pem
				format pem_file
			}

francislavoie · October 28, 2022, 8:02pm

I guess you can use the sign_with_root option.

We might not have covered that usecase (i.e. no access to root key). Not sure if that’s even possible with the underlying lib we use (Smallstep). We’ll have to look into that later.

system · November 26, 2022, 3:15pm

This topic was automatically closed after 30 days. New replies are no longer allowed.