I’ve made a few inroads. It seems that Caddy can use its own internal CA or use a local step-ca instance. This is described in the Smallstep topic Configure popular ACME clients to use a private CA with the ACME protocol - Caddy V2.
When I compare the notes in that link with @Rob789’s wiki article Use Caddy for local HTTPS (TLS) between front-end reverse proxy and LAN hosts , it appears to match his backend configuration.
While I’ve managed to successfully set up the Smallstep CA in the same space as my Caddy frontend, what’s not clear is how I configure the Caddy frontend to work with the Smallstep CA rather than its internal CA.
I suspect this Caddy block needs to be modified to stitch the two together, but I’m not quite sure how to move forward from here? Help!
# ACME Server
caddy.roadrunner {
acme_server
tls internal
}