Hi,
I have made Squid 3.0 SSL working without client authentication. Now I
want to assure the client. I want client install the certificate I
send to him and import to his browser. Other browsers without this
certificate will never be able to get my server.
Now, any browser will have a warning dialog box, if he hit OK, my
server will let him in.
In the server I created 3 files. One is CA. One is Cert file and
another is Key file. In the squid.conf, I added cert=location of cert
file and key=location of key file.
I do not think the server CA file is the cafile the client want
because right now he can click the OK button to get in without the CA
file.
My guess is that I have to create client certfile and sign it to give
to client and add clientca=that file.
Some one please help me work this out. The following is the script to
make one way certification: server authentication. Please help me to
add a couple of lines to make the client certs and to change the
squid.conf.
#!/usr/local/bin/bash
MATRIX="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
LENGTH=$RANDOM
let "LENGTH /= 2000"
let "LENGTH += 2"
while [ "${n:=1}" -le "$LENGTH" ]
do
NAME="$NAME${MATRIX:$(($RANDOM%${#MATRIX})):1}"
let n+=1
done
echo "$NAME"
n="1"
LENGTH=$RANDOM
let "LENGTH /= 2000"
let "LENGTH += 2"
while [ "${n:=1}" -le "$LENGTH" ]
do
COMPANY="$COMPANY${MATRIX:$(($RANDOM%${#MATRIX})):1}"
let n+=1
done
echo "$COMPANY"
n="1"
LENGTH=$RANDOM
let "LENGTH /= 2000"
let "LENGTH += 20"
while [ "${n:=1}" -le "$LENGTH" ]
do
PASSWORD="$PASSWORD${MATRIX:$(($RANDOM%${#MATRIX})):1}"
let n+=1
done
echo "$PASSWORD"
su squid -c "/usr/local/squid/sbin/squid -k shutdown"
cd /usr/local/squid/etc
rm -f /usr/local/squid/etc/cert.pem
rm -f /usr/local/squid/etc/key.pem
rm -f /usr/local/squid/etc/demoCA/private/cacert.pem
/usr/bin/openssl req -new -x509 -keyout
/usr/local/squid/etc/demoCA/private/cakey.pem -out /usr/l
ocal/squid/etc/demoCA/cacert.pem -days 365 -subj
/C=US/ST=$ST/L=$L/OU=$OU/O=$O/CN=$CN/emailAddres
s=$NAME@$COMPANY.com -passout pass:$PASSWORD
/usr/bin/openssl req -new -keyout key.pem -out req.pem -days 365 -subj
/C=US/ST=$ST/L=$L/OU=$OU/O
=$O/CN=$CN/emailAddress=$NAME@$COMPANY.com -passout pass:$PASSWORD
cd /usr/local/squid/etc
cp key.pem key.pem.old
/usr/bin/openssl rsa -in key.pem.old -out key.pem -passin pass:$PASSWORD
/usr/bin/openssl ca -in /usr/local/squid/etc/req.pem -out
/usr/local/squid/etc/cert.pem -passin p
ass:$PASSWORD -batch
chown -R squid:users *
chmod 400 *.pem
chmod 400 demoCA/private/*.pem
