I’m unsure how to renew, or create a new, root CA via Caddy. By default the root expires after 10 years and although this is a long time away, I would like to know how to create a new certificate when using Caddy’s auto generating certificates.
2. Error messages and/or full log output:
No error. Just advise.
3. Caddy version:
2.8.4
4. How I installed and ran Caddy:
Use caddyfile with defaults for certificate creation. Used as reverse proxy.
Good question. Currently the root cert is not auto-renewed, since it often requires manual intervention to update the trust stores anyway. So automatically renewing it would be kinda pointless.
I’m actually thinking of lengthening its lifetime, but of course that doesn’t solve the problem.
Best thing to do I think would be to delete it from storage and let Caddy regenerate a root cert, but of course you’ll need to add it to trust stores at that point.
So, am I right to think at the moment the procedure would be:
Stop Caddy
Rename or move all certs in /home/pi/.local/share/caddy/pki/authorities/local
Start Caddy
At this point, Caddy will re generate the root and intermediate certs and reissues to the sites?
Then, the new root.crt in /home/pi/.local/share/caddy/pki/authorities/local would need to be distributed to clients to trust it (and also install into cert store locally if needed)?
With regards to lifetime, could this be configurable? By default and automatic it’s 10 years for example, but could specify a different length (but keep everything else secure and default) if needed?
It would be nice to keep the cert secure with the default options but also increase the time of the cert if that makes sense?
As I did see you’ve mentioned before about the age of the cert and maybe changing it when I searched before posting. Maybe this way you can leave it at 10 years and let the user decide if they want it to be more or less?