Issue Details
After piecing things together from the docs, plus a bit of luck (see root key note below), this can be accomplished, but took more time to discover how than anticipated.
The use-case is that I want to give Caddy a custom intermediate to sign with, but without exposing the root cert key. Config to accomplish:
{
# ...
pki {
ca foo {
root {
format pem_file
cert /var/certs/root-ca.crt
# We don't actually have a root key, nor do we
# want to make caddy use one... so pass a bogus
# one (it seems it won't be used).
# Too bad this arg is required.
key /var/certs/sub-ca.key
}
intermediate {
format pem_file
cert /var/certs/sub-ca.crt
key /var/certs/sub-ca.key
}
}
}
}
my.domain {
# It seems that using 'tls internal' and calling the pki ca 'local'
# won't actually work. So let's use an explicitly named internal ca.
# Maybe 'local' would have worked with the expanded 'issuer'-y tls
# config, not sure.
tls {
issuer internal {
ca foo
}
}
# ...
}
Works great otherwise!
(Sidenote - this also allows one to generate custom name constraints, which was also pondered in caddyserver/caddy#5759. See https://www.feistyduck.com/library/openssl-cookbook/online/ section 1.5)
Assistance Disclosure
AI not used
If AI was used, describe the extent to which it was used.
I rather keep my mind exercised, and rely on discovering quality expert material to subscribe to, rather than use LLMs.
Issue Details
After piecing things together from the docs, plus a bit of luck (see root key note below), this can be accomplished, but took more time to discover how than anticipated.
The use-case is that I want to give Caddy a custom intermediate to sign with, but without exposing the root cert key. Config to accomplish:
Works great otherwise!
(Sidenote - this also allows one to generate custom name constraints, which was also pondered in caddyserver/caddy#5759. See https://www.feistyduck.com/library/openssl-cookbook/online/ section 1.5)
Assistance Disclosure
AI not used
If AI was used, describe the extent to which it was used.
I rather keep my mind exercised, and rely on discovering quality expert material to subscribe to, rather than use LLMs.