Re: [squid-users] wild card ssl certificate

From: Amos Jeffries <>
Date: Mon, 06 Jul 2009 10:45:16 +1200

Mario Remy Almeida wrote:
> Hi All
> I followed the steps mentioned in the below url
> when below cmd executed
> openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1000
> I get below message which means some options missing.
> can someone tell me what am i missing?
> is it rsa:1024 instead rsa?

Yes it needs the bit-length. Though for the CA cert its advised to use
stronger/longer bit length than normal. 2048 bits is mentioned in the
wiki for now.

Thanks for reporting that. Wiki updated.


> req [options] <infile >outfile
> where options are
> -inform arg input format - DER or PEM
> -outform arg output format - DER or PEM
> -in arg input file
> -out arg output file
> -text text form of request
> -pubkey output public key
> -noout do not output REQ
> -verify verify signature on REQ
> -modulus RSA modulus
> -nodes don't encrypt the output key
> -engine e use engine e, possibly a hardware device
> -subject output the request's subject
> -passin private key password source
> -key file use the private key contained in file
> -keyform arg key file format
> -keyout arg file to send the key to
> -rand file:file:...
> load the file (or the files in the directory) into
> the random number generator
> -newkey rsa:bits generate a new RSA key of 'bits' in size
> -newkey dsa:file generate a new DSA key, parameters taken from CA in
> 'file'
> -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)
> -config file request template file.
> -subj arg set or modify request subject
> -multivalue-rdn enable support for multivalued RDNs
> -new new request.
> -batch do not ask anything during request generation
> -x509 output a x509 structure instead of a cert. req.
> -days number of days a certificate generated by -x509 is valid
> for.
> -set_serial serial number to use for a certificate generated by
> -x509.
> -newhdr output "NEW" in the header lines
> -asn1-kludge Output the 'request' in a format that is wrong but some
> CA's
> have been reported as requiring
> -extensions .. specify certificate extension section (override value in
> config file)
> -reqexts .. specify request extension section (override value in
> config file)
> -utf8 input characters are UTF8 (default ASCII)
> -nameopt arg - various certificate name options
> -reqopt arg - various request text options
> //Remy
> ------------------------------------------------------------------------------
> Disclaimer and Confidentiality
> This material has been checked for computer viruses and although none has
> been found, we cannot guarantee that it is completely free from such problems
> and do not accept any liability for loss or damage which may be caused.
> Please therefore check any attachments for viruses before using them on your
> own equipment. If you do find a computer virus please inform us immediately
> so that we may take appropriate action. This communication is intended solely
> for the addressee and is confidential. If you are not the intended recipient,
> any disclosure, copying, distribution or any action taken or omitted to be
> taken in reliance on it, is prohibited and may be unlawful. The views
> expressed in this message are those of the individual sender, and may not
> necessarily be that of ISA.

Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid
Received on Sun Jul 05 2009 - 22:45:23 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 06 2009 - 12:00:02 MDT