Yes it’s possible, but it’s currently only possible to specify your own root CA cert/key via JSON config. If you’re okay with letting Caddy generate its own CA, then it’s trivial with a Caddyfile. Just use the tls internal option in each site, or the local_certs global option to force all cert issuance to use the local CA.
Next time, please fill out the help topic template. The contextual questions it asks you to answer are very relevant to getting precisely the right answers to your questions.
Thank you very much for your reply @francislavoie , sure here after i will use the template while creating a topic.
I tried locally tls internal like below
localhost:443 {
root * /usr/share/caddy
tls internal
}
it worked and server is automatically created certificate with DNS name as localhost.
But in our case we have multiple domains assigned single ip and we need to create certificates based on the host name(SNI) and we don’t want hard code any domain names in the Caddayfile ,server should resolve it automatically and create certificate based on hostname, is there any way we can achieve this?
To use locally-issued certs, just make sure TLS automation policies use Caddy’s internal CA instead of a public one by default. Using the local_certs global option should do the trick if I recall correctly.
Thank you @matt , it worked for me i am able to generate certificate on fly by using Caddy internl CA.
After that i tried to use our own rootCa , by storing it in the folder ,when i tried to update the pki using load api, i am getting memory address error like below
I looked at the function at the end of the stack trace snippet though and took a best guess that it’s failing to find any PEM data in your .key file. Caddy should now return an error instead of panic:
If you can test Caddy with that build, it would be appreciated. Then make sure your .key file has PEM private key in it.
Thank you very much @matt , by updating my rootCa and privateKey to pem format , i am no longer getting any error as before.
Will test same(runtime error) scenario with latest build and update the topic.
Can you please provide us some instructions or doc related to custom PKI feature , like what are conditions caddy is validating while using custom rootCa(constraints) and how we can configure expiration date for ssl certificates those are generating on-demand?
Now i am able to customize the expiration date of certificates while generating those on-demand , thank you very much @matt for the doc and we tried to update the our own custom rootCa and intermediate CA in server and we are able to generate the ssl certificates signed by our intermediate Ca.
While implementing custom PKI by using our rootCa , i observed a pattern that we need to provide both rootCa and intermediate Ca(along with private keys) then only ssl certificates are generating , if we provide only rootCa and rootCa privateKey , i think caddy is generating new intermediate certificate and we are getting some errors like below
{“level”:“error”,“ts”:1641627747.4992325,“logger”:“tls.obtain”,“msg”:“could not get certificate from issuer”,“identifier”:“domain_name”,“issuer”:“caname”,“error”:“authority.Sign; error creating certificate: error creating certificate: x509: provided PrivateKey doesn’t match parent’s PublicKey”,“errorVerbose”:"x509: provided PrivateKey doesn’t match parent’s PublicKey\nerror creating certificate\ngo.step.sm/crypto/x509util.CreateCertificate…
Is it mandatory to upload intermediate certificate too?