Use Caddy only for ssl certificate/key generation

Hello there,

I just wanted to ask whether it is possible to use Caddy v2 only for Letsencrpyt ssl certificate and key generation on certain websites?

And when this is currently not possible, would this be a feasible feature request?

This would be really handy because my firewall forwards incoming requests on port 443 and 80 to the caddy host.

Thanks in advance!

Yes, just define a site block like this! {
	respond "Site not served from here"

Caddy will manage certificates for all the sites listed in your Caddyfile.

1 Like


And where can I retrieve the certificate (and the key) file?

The storage locations are here:

Thanks for your help!

Found the certs/keys under data/caddy/certificates/<mydomain>

While digging deeper I found out that the keys are much shorter than I am used to and use elliptic curve cryptography, which I haven’t heard of before. How do they differ from the usual RSA keys and are they as secure?

And whilst the keys being shorter than usual, the certs seem to be not shortened - why is that the case?

Good questions!

RSA vs ECC is a big topic. In general, yes ECC keys are “more secure” but it’s all kinds of complicated math to explain why (it’s really more that it’s more efficient, not necessarily more secure; both are still quite secure). I recommend you do your own research on this topic, Google will explain better than I could on short notice :slight_smile: Here’s a relevant answer:

Certificates themselves just store a bunch of metadata like what site it’s for, how long it’s valid, who the certificate authority that signed it is, and ultimately, the public key portion of your key-pair (the key file has the private key, and you can calculate the public part from the private key with ECC; I don’t remember if that property holds as well with RSA, I’ve studied ECC more recently). Essentially the CA takes your CSR (certificate signing request) which contains your public key and the site you want to issue a cert for, etc, then digitally signs (bunch of math) using their super-secret private key. Anyone who knows the CA’s public key (which can be found in the root CA cert) can verify that they, and only they, signed your certificate to prove that it’s good.

All that’s to say, the only bit that changes in your certificate is the public key portion which is just one small part of the certificate. I’m pretty sure that ECC public keys are shorter, but you won’t notice the length difference as much because it’s part of all kinds of other data.

Something you can do to learn more about what’s in the certificate, take your certificate and paste it in this site: ASN.1 JavaScript decoder (don’t worry, it’s entirely using client-side JS, it doesn’t send your cert to any servers - but that would be okay anyways because your cert is public information anyways). Essentially it decodes the binary structure of your certificate and displays it to you. You’ll be able to spot where the public key is in the binary structure as well as where your domain name is, etc. You can also paste in your private key to see the structure it has as well (but you’re allowed to be a bit more paranoid about that). ASN.1 is the binary packing format typically used for certificates/keys. It’s essentially a tree structure.

Probably my favourite cryptography videos in terms of explaining in simple terms are those from Computerphile:


If you want to only manage certificates and not run an HTTPS server too, it’s also very easy:


Thank you for the extensive answers!

You guys rock!

1 Like

I have one more question:

Is it possible to have caddy output a combined key and certificate file?
(Because that’s what lighttpd needs)

(or is it possible to have run a command every time a new cert is generated?; that way I could run cat key cert > combined.pem on renewal)

No, nothing built-in. Caddy isn’t really in the business of including weird hacks to make other software happy.

You could probably set up a cron (maybe hourly, idk) to check if the files have changes, and combine them if so.

Also, combining a private key and a public key into the same file sounds like a bad idea.

I know, that’s what I thought as well. Unfortunately I am stuck using an old version of lighttpd for a certain application, which only supports this combined pem file.

Thanks for your help either way!

This topic was automatically closed after 30 days. New replies are no longer allowed.