On 06/08/2011 02:52 PM, Amos Jeffries wrote:
On Tue, 07 Jun 2011 11:54:52 +0200, PaweÅ Mojski wrote:Hi all. Finally I successful implemented ssl-bump with dynamic certificate generation feature.But, I don't know how to configure squid to use intermediate ca certificate.I generated Root CA, then using Root CA i signed Intermediate CA certificate and now, I want squid to use this Intermediate CA Certificate while generating certs for https connections. Then I want to import Root CA certificate into Windows PKI to solve "Unknown CA" error while surfing https pages. How can I do that?The client must have a full chain of trust from the root all the way down to the end certificate during the transactions. I think you may find that signing with an intermediate CA needs to install both the root and the intermediate public CA on the clients.I'm looking around cafile, capath of ssl-bump options but nothing works for me.http://wiki.squid-cache.org/Features/SslBump To squid there is only the cert PEM you told it to sign with. Amos
This matches up with what I've seen so far with my testing - I thought I might be able to get it to provide the full certificate chain to users, by playing around with the cafile settings, but no joy. Since all my browsers already trust my root CA, I thought that creating an intermediate CA for use by Squid would be sufficient. But no, I've had to install the intermediate CA on my browsers too. Feature request I guess?
[Linux Audio Users] [Photo] [Yosemite News] [Samba] [Video Projectors] [Video Devices] [Big List of Linux Books] [LCD TVs] [Webcams] [Linux USB]