Re: [squid-users] SSLBump and intermedia CA Certificate.

From: Lindsay Hill <lindsayh_at_makonetworks.com>
Date: Wed, 08 Jun 2011 15:30:46 +1200

On 06/08/2011 02:52 PM, Amos Jeffries wrote:
> On Tue, 07 Jun 2011 11:54:52 +0200, Paweł Mojski wrote:
>> Hi all.
>>
>> Finally I successful implemented ssl-bump with dynamic certificate
>> generation feature.
>> But, I don't know how to configure squid to use intermediate ca
>> certificate.
>> I generated Root CA, then using Root CA i signed Intermediate CA
>> certificate and now, I want squid to use this Intermediate CA
>> Certificate while generating certs for https connections.
>> Then I want to import Root CA certificate into Windows PKI to solve
>> "Unknown CA" error while surfing https pages.
>> How can I do that?
>
> The client must have a full chain of trust from the root all the way
> down to the end certificate during the transactions. I think you may
> find that signing with an intermediate CA needs to install both the
> root and the intermediate public CA on the clients.
>
>
>> I'm looking around cafile, capath of ssl-bump options but nothing
>> works for me.
>
> http://wiki.squid-cache.org/Features/SslBump
>
> To squid there is only the cert PEM you told it to sign with.
>
> Amos
>

This matches up with what I've seen so far with my testing - I thought I
might be able to get it to provide the full certificate chain to users,
by playing around with the cafile settings, but no joy. Since all my
browsers already trust my root CA, I thought that creating an
intermediate CA for use by Squid would be sufficient. But no, I've had
to install the intermediate CA on my browsers too. Feature request I guess?

  - Lindsay
Received on Wed Jun 08 2011 - 03:30:59 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 23 2011 - 12:00:02 MDT