Re: [squid-users] Need help on SSL bump and certificate chain

From: Alex Rousskov <>
Date: Mon, 22 Apr 2013 11:05:48 -0600

On 04/22/2013 10:36 AM, wrote:

> This is working fine when using my self generated CA for signing the requests

Let's call this CA "selfCA".

> I want to get rid of the browser warning so I try to use a CA already
> recognized in the browser, what should be possible following this ticket:
> (already mentioned)

You may have misinterpreted what that bug report says. The reporter
placed his selfCA into the browser. The reporter did not use a CA
certificate from a well-known CA root in his signing chain -- it is not
possible to do that because you do not have the private key from that
well-known root CA certificate.

You should use selfCA as root CA of your signing chain and you have to
place that selfCA in the browser.

> If anyone has a running setup without importing the self-signed CA to all
> browsers please let me know.

It is not possible to bump traffic without importing your self-signed
root CA into all browsers. If it were possible, SSL would have been useless.


Received on Mon Apr 22 2013 - 17:05:55 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 23 2013 - 12:00:05 MDT