The error on IE is "The security service presented by this web site issued for a different web sites address.". I think it is about need for wildcard certificates. Is it? -- Oguz YILMAZ On Wed, Dec 15, 2010 at 8:52 AM, Oguz Yilmaz <oguzyilmazlist@xxxxxxxxx> wrote: > On Tue, Dec 14, 2010 at 9:13 PM, Michael Leong > <Michael.Leong@xxxxxxxxxxxxxxxx> wrote: >> One of the features of SSL is to detect the MITM you're doing. You need to >> manually add the squid cert on each browser as a trusted CA to prevent those >> warnings. > > Actually I have added the cert to IE Intermediate Certficition > authorities and Trusted Root certificates. The error continues. May it > be about the name of the site does not match the certificate issued > for field? How can I create the right certificate? > >> >> >> >> On 12/14/2010 12:31 AM, Oguz Yilmaz wrote: >> >> Dear all, >> >> I have enabled my proxy for transparent SSL Mitm proxying. Traffic for >> destination tcp 443 is DNAT'ed to localhost:8443 through iptables. >> This part is working. I am able to browse the internet sites. For each >> SSL site, for once, browser gives a warning of Mitm. It should, of >> course. >> However I want to learn the way to remove any warning by through >> manually adding a certificate to Trusted Key Store of Internet >> Explorer or Firefox. >> >> Squid conf param: >> https_port 8443 cert=/etc/squid/certs/sslfilter.crt >> key=/etc/squid/certs/sslfilter.key protocol=https accel vhost >> defaultsite=google.com >> >> The way I have created the certificate and key: >> >> openssl genrsa -rand >> /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime >> 1024 > /etc/squid/certs/sslfilter.key >> >> cat << EOF | openssl req -new -key /etc/squid/certs/sslfilter.key >> -x509 -days 1825 -out /etc/squid/certs/sslfilter.crt >> TR >> ANK >> Ankara >> Info >> Customer IT >> SSL Filtering Proxy >> support@domain >> EOF >> >> >> Regards, >> >> -- >> Oguz YILMAZ >> >> This electronic communication and any attachments may contain confidential >> and proprietary >> information of DigitalGlobe, Inc. If you are not the intended recipient, or >> an agent or employee >> responsible for delivering this communication to the intended recipient, or >> if you have received >> this communication in error, please do not print, copy, retransmit, >> disseminate or >> otherwise use the information. Please indicate to the sender that you have >> received this >> communication in error, and delete the copy you received. DigitalGlobe >> reserves the >> right to monitor any electronic communication sent or received by its >> employees, agents >> or representatives. >> >