Created
July 7, 2026 15:56
-
-
Save RickyCook/46a862738d338623dfdfd8327621f05c to your computer and use it in GitHub Desktop.
Constrained local root CA for Caddy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ v3_ca ] | |
| basicConstraints = critical, CA:true | |
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid:always,issuer | |
| # This restricts the CA to ONLY sign domains ending in .lan or .local | |
| nameConstraints = critical, permitted;DNS:.lan, permitted;DNS:.local |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| pki { | |
| ca local { | |
| name "My Constrained Local CA" | |
| root { | |
| cert /etc/caddy/certs/root.crt | |
| key /etc/caddy/certs/root.key | |
| } | |
| intermediate { | |
| cert /etc/caddy/certs/intermediate.crt | |
| key /etc/caddy/certs/intermediate.key | |
| } | |
| } | |
| } | |
| } | |
| # Your local site blocks will now use this constrained issuer automatically | |
| app.lan { | |
| tls internal | |
| reverse_proxy 192.168.25:8080 | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment