From c97292b255c144dfa9f1ea1dfcdec3b82717110d Mon Sep 17 00:00:00 2001
From: Florian Apolloner <florian@apolloner.eu>
Date: Tue, 7 May 2024 05:38:26 +0200
Subject: [PATCH] caddypki: Allow use of root CA without a key. Fixes #6290
 (#6298)

* Allow usage of root CA without a key. Fixes #6290

* Update modules/caddypki/crypto.go

---------

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---
 modules/caddypki/crypto.go | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/modules/caddypki/crypto.go b/modules/caddypki/crypto.go
index 386ce629..324a4fcf 100644
--- a/modules/caddypki/crypto.go
+++ b/modules/caddypki/crypto.go
@@ -78,18 +78,21 @@ func (kp KeyPair) Load() (*x509.Certificate, crypto.Signer, error) {
 		if err != nil {
 			return nil, nil, err
 		}
-		keyData, err := os.ReadFile(kp.PrivateKey)
-		if err != nil {
-			return nil, nil, err
-		}
-
 		cert, err := pemDecodeSingleCert(certData)
 		if err != nil {
 			return nil, nil, err
 		}
-		key, err := certmagic.PEMDecodePrivateKey(keyData)
-		if err != nil {
-			return nil, nil, err
+
+		var key crypto.Signer
+		if kp.PrivateKey != "" {
+			keyData, err := os.ReadFile(kp.PrivateKey)
+			if err != nil {
+				return nil, nil, err
+			}
+			key, err = certmagic.PEMDecodePrivateKey(keyData)
+			if err != nil {
+				return nil, nil, err
+			}
 		}
 
 		return cert, key, nil