diff --git a/README.md b/README.md
index 7ffdc83a..2f918a06 100644
--- a/README.md
+++ b/README.md
@@ -116,7 +116,7 @@ Visit `http://localhost:3000/login` and sign in with your credentials.
| **Redirects** | Set up 301/302 redirects with optional query string preservation |
| **Dead Hosts** | Display branded maintenance pages with custom status codes |
| **Access Lists** | Create HTTP basic-auth user lists and assign them to proxy hosts |
-| **Certificates** | Request ACME-managed certificates or import custom PEM files |
+| **Certificates** | Import custom SSL/TLS certificates (internal CA, wildcards, etc.) - Caddy auto-manages public certs |
| **Settings** | Configure primary domain, ACME email, and Cloudflare DNS automation |
| **Audit Log** | Review chronological feed of all administrative actions |
@@ -253,6 +253,40 @@ npm run dev
---
+## Certificate Management
+
+### Automatic HTTPS (Default)
+
+Caddy automatically handles SSL/TLS certificates for all proxy hosts:
+
+- **Zero Configuration**: Just add a domain to a proxy host - certificates are obtained automatically
+- **Auto-Renewal**: Certificates renew automatically before expiration
+- **Multiple Domains**: Each proxy host can have multiple domains with automatic cert management
+- **Wildcard Support**: Use Cloudflare DNS-01 challenge for wildcard certificates
+
+**No action required** - this works out of the box!
+
+### Custom Certificates (Optional)
+
+Import your own certificates when you need to:
+
+- **Internal CA**: Use certificates from your organization's Certificate Authority
+- **Pre-existing Certs**: Reuse certificates you already have
+- **Special Requirements**: Compliance, security policies, or specific certificate features
+- **Wildcard from DNS Provider**: Import wildcard certificates from your DNS provider
+
+**How to import:**
+1. Navigate to **Certificates** page
+2. Click **Import Custom Certificate**
+3. Provide certificate name and domains
+4. Paste certificate PEM (full chain recommended)
+5. Paste private key PEM
+6. Save and assign to proxy hosts as needed
+
+**Security Note**: Imported private keys are stored in the database. Ensure your `.env` file and database have restricted permissions (`chmod 600`).
+
+---
+
## Cloudflare DNS Automation
To enable automatic SSL certificates with Cloudflare DNS-01 challenges:
diff --git a/app/(dashboard)/certificates/CertificatesClient.tsx b/app/(dashboard)/certificates/CertificatesClient.tsx
index c46bcfd2..4b9063d3 100644
--- a/app/(dashboard)/certificates/CertificatesClient.tsx
+++ b/app/(dashboard)/certificates/CertificatesClient.tsx
@@ -1,21 +1,20 @@
"use client";
import ExpandMoreIcon from "@mui/icons-material/ExpandMore";
+import InfoOutlinedIcon from "@mui/icons-material/InfoOutlined";
import {
Accordion,
AccordionDetails,
AccordionSummary,
+ Alert,
Box,
Button,
Card,
CardContent,
Chip,
- FormControlLabel,
- MenuItem,
Stack,
TextField,
- Typography,
- Checkbox
+ Typography
} from "@mui/material";
import type { Certificate } from "@/src/lib/models/certificates";
import { createCertificateAction, deleteCertificateAction, updateCertificateAction } from "./actions";
@@ -25,139 +24,263 @@ type Props = {
};
export default function CertificatesClient({ certificates }: Props) {
+ const importedCerts = certificates.filter(c => c.type === "imported");
+ const managedCerts = certificates.filter(c => c.type === "managed");
+
return (
- Certificates
+ SSL/TLS Certificates
- Manage ACME-managed certificates or import your own PEM files for custom deployments.
+ Caddy automatically handles HTTPS certificates for all proxy hosts using Let's Encrypt.
+ Import custom certificates only when needed (internal CA, special requirements, etc.).
-
- {certificates.map((cert) => (
-
-
-
-
-
- {cert.name}
-
-
- {cert.domain_names.join(", ")}
-
-
-
-
+ }>
+
+ How Caddy handles certificates:
+
+
+ • Automatic HTTPS: Caddy automatically obtains and renews certificates for all domains
+
+ • No configuration needed: Just add a proxy host with a domain, and Caddy handles the rest
+
+ • Custom certificates: Import your own certificates only when you have specific requirements
+
+
-
- } sx={{ px: 0 }}>
- Edit
-
-
- updateCertificateAction(cert.id, formData)} spacing={2}>
-
-
-
-
-
-
- {cert.type === "managed" ? (
-
+ {managedCerts.length > 0 && (
+
+
+
+ Legacy "Managed" certificates detected: These entries are redundant since Caddy automatically manages HTTPS.
+ Consider deleting them unless you need to explicitly track certificate usage.
+
+
+
+
+ Managed Certificates (Legacy)
+
+
+
+ {managedCerts.map((cert) => (
+
+
+
+
+
+ {cert.name}
+
+
+ {cert.domain_names.join(", ")}
+
+
+
+
+
+
+
+
+
+ } sx={{ px: 0 }}>
+ Edit / Delete
+
+
+ updateCertificateAction(cert.id, formData)} spacing={2}>
+
+
+
+
- } label="Auto renew" />
-
- ) : (
- <>
+
+
+
+
+
+
+
+
+
+
+ ))}
+
+
+ )}
+
+ {importedCerts.length > 0 && (
+
+
+ Imported Certificates
+
+
+
+ {importedCerts.map((cert) => (
+
+
+
+
+
+ {cert.name}
+
+
+ {cert.domain_names.join(", ")}
+
+
+
+
+
+
+ } sx={{ px: 0 }}>
+ Edit / Delete
+
+
+ updateCertificateAction(cert.id, formData)} spacing={2}>
+
+
+
+
-
- )}
-
-
-
-
-
-
-
-
-
- ))}
-
+
+
+
+
+
+
+
+
+
+
+ ))}
+
+
+ )}
- Create certificate
+ Import Custom Certificate
+
+
+
+ When to import certificates:
+
+
+ Using an internal Certificate Authority (CA)
+ Wildcard certificates from your DNS provider
+ Pre-existing certificates you want to reuse
+ Special compliance or security requirements
+
+
+ Otherwise: Just create a proxy host with your domain - Caddy will handle everything automatically!
+
+
+
-
+
+
-
-
-
-
- } label="Auto renew (managed only)" />
+
+
+
+
+
-