Good question!
Caddy 2 is already a CA: it has a pki app that manages a CA root certificate and intermediate/signing certificate so that it can serve internal sites like localhost or 192.168.1.3 over HTTPS without any need for an external CA – automatically. It even keeps the signing certs renewed, as you might expect. But until today this feature could only be accessed within the same Caddy instance, i.e. each Caddy instance could only sign certificates for its own sites.
ACME is the protocol by which certificates are issued/managed. It’s how Caddy gets certificates from Let’s Encrypt and renews them automatically. Caddy can also sign its own certificates that are trusted on the local machine, but it doesn’t use the ACME protocol (it happens all in-process and no validation is performed). ACME lets you get certificates from a remote authority across a network.
Until today, Caddy was only an ACME client, meaning it could only request certificates from a remote ACME CA such as Let’s Encrypt or Smallstep.
But now Caddy is an ACME server, so it can issue certificates to other ACME clients. (We embed Smallstep’s ACME server.)
This means you can set up other Caddy instances (or any other ACME client) across your network/infrastructure and configure them to use a single Caddy instance as the CA. This means you only have 1 root certificate you need to trust internally.
You can use Caddy as an ACME server by adding the acme_server handler to your routes:
{
"handler": "acme_server"
}
Or with the acme_server Caddyfile directive.
This lets any ACME client get certificates from Caddy’s internal CA by using the directory endpoint of https://localhost/acme/local/directory for example. (local is the name of Caddy’s default CA.)
Combined with the reverse proxy’s client certificate automation feature, Caddy 2.1 offers fully-automatic mTLS. This means Caddy-as-a-client can get its own client certificate and keep it renewed, and Caddy-as-a-server can both obtain or issue its own certificates and keep them renewed.
More details:
https://github.com/caddyserver/caddy/pull/3198
One could really write a book about this, but I guess for now it’ll take some dedicated users to dig into the docs and write a wiki post explaining it better. 