> ## Documentation Index > Fetch the complete documentation index at: https://docs.scanoss.com/llms.txt > Use this file to discover all available pages before exploring further. # Certificate Management > Configure HTTPS and TLS certificates for your Caddy proxy, including automatic certificates, self-signed certificates, and custom certificate files. ## Overview By default, Caddy runs over HTTP on your chosen local port. If your deployment requires HTTPS — for example, to encrypt traffic between internal services or to meet security requirements — you can configure Caddy to serve over HTTPS using one of three approaches: * **Automatic certificates** via a public domain name (using Let's Encrypt) * **Self-signed certificates** for local or internal use * **Custom certificate files** provided directly ## Automatic HTTPS with a Domain If you have a public domain name with a DNS record pointing to your server, Caddy can automatically obtain and renew TLS certificates from Let's Encrypt: ``` proxy.example.com { reverse_proxy https://api.scanoss.com { header_up x-api-key "YOUR_API_KEY_HERE" header_up Host api.scanoss.com } } ``` Replace `proxy.example.com` with your actual domain. Caddy will automatically: * Obtain a TLS certificate from Let's Encrypt * Serve HTTPS on port 443 * Redirect HTTP requests to HTTPS > **Prerequisite:** Your domain must have a valid DNS A record pointing to the server, and > port 80 must be publicly accessible so that Let's Encrypt can complete its HTTP challenge. ## Self-Signed Certificate for Internal Use For internal or local deployments that do not use a public domain, you can instruct Caddy to generate a self-signed certificate using its built-in local certificate authority (CA). This is done by specifying `tls internal` in your **Caddyfile**. **Localhost:** ``` localhost:1980 { tls internal reverse_proxy https://api.scanoss.com { header_up x-api-key "YOUR_API_KEY_HERE" header_up Host api.scanoss.com } } ``` **Specific internal IP address:** ``` https://192.168.1.100:1980 { tls internal reverse_proxy https://api.scanoss.com { header_up x-api-key "YOUR_API_KEY_HERE" header_up Host api.scanoss.com } } ``` > **Note:** Self-signed certificates will trigger security warnings in browsers and HTTP > clients. To suppress these warnings, you must either add Caddy's local CA certificate to > your system's trusted certificate store, or configure your tools to accept self-signed > certificates explicitly. ## Custom Certificate Files If you have your own certificate and private key files, you can specify their paths directly in the **Caddyfile**: ``` :1980 { tls /path/to/cert.pem /path/to/key.pem reverse_proxy https://api.scanoss.com { header_up x-api-key "YOUR_API_KEY_HERE" header_up Host api.scanoss.com } } ``` Replace `/path/to/cert.pem` and `/path/to/key.pem` with the absolute paths to your certificate and private key files. If your certificate authority provides intermediate certificates, use a full-chain certificate file (e.g. `fullchain.pem`) rather than the end-entity certificate alone. ## Updating Client Configuration for HTTPS When HTTPS is enabled on your Caddy instance, update the proxy base URL in all client configurations — such as environment variables, configuration files, or SDK settings — to use `https://` instead of `http://`. For example, depending on your deployment, your proxy address will take one of the following forms: ``` https://localhost:1980 https://192.168.1.100:1980 https://proxy.example.com ``` Refer to the configuration documentation for your specific client tool for details on where to set the proxy address.