Joaquín Puga wrote:
Hi everybody.
We are running squid2.6.STABLE21 as a reverse proxy. Verisign does not
issue unchained certificates anymore, so we have to use a chained one.
I have been researching how to configure squid to use the chained
certs, but I'd like that someone could confirm whether I'm right or
wrong.
1) squid2.6.STABLE21 supports chained certificates
2) This is our current https_port with the unchained cert:
https_port x.y.w.z:443 cert=/etc/squid/certs/ww1.pem
key=/etc/squid/certs/ww1key.pem version=1 accel vhost
In this thread (http://www.squid-cache.org/mail-archive/squid-users/200509/0289.html)
Henrik mentions:
"Certificate chains is supported by Squid-3 or the SSL update patch to
Squid-2.5. You then enable the use of chained certificates by
appending the CA certificate to your server certificate, both in the
same file with the server certificate first and followed by the CA
certificate chain."
This means I just have to download the X.509 CA intermediate cert.,
the chained cert., and put both together in /etc/squid/certs/ww1.pem.
Then it should work, right? Is there anything else I need to do?
Henrik added what he documents as "primitive chained certificates" from
2.6.STABLE15 with various fixes to it up until STABLE21.
I'm not certain though of how much of the certificate protocols are
usable, you will likely need to test and find out.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
Current Beta Squid 3.1.0.7
