John, I believe what you need to do is export the Certificates from the IIS servers, they will be saved in a .pfx file, which is the PKCS12 format. OpenSSL can convert these into the PEM format that squid supports, these commands will give you the desired output. Exports the Certificate: openssl pkcs12 -in server.pfx -out server.crt -nodes -nokeys -clcerts Exports the Private Key (Note will not be encrypted, store in safe place): openssl pkcs12 -in server.pfx -out server.key -nodes -nocerts -clcerts The openssl man page and the pkcs12 man page will have more information about these options if you need them. Thanks, Dean Weimer Network Administrator Orscheln Management Co > -----Original Message----- > From: John Gardner [mailto:John.Gardner@xxxxxxxxxxxxxxxxxxxx] > Sent: Sunday, February 13, 2011 2:13 AM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Reverse Proxy and Externally Generated Wildcard SSL > Certificates > > Hi everyone. I've got a query about running Squid as a Reverse Proxy that I > hope someone can answer. > > Over the past year, I've been tasked with introducing serveral Squid servers > into our organisation, most of them so far have been internal Caching > proxies, but I'm now at the stage where I need to implement a Reverse > Proxy (RP) in our DMZ. > > We're going to offload the SSL onto the RP using a Wildcard SSL Certificate > and during testing I used the advice here: http://wiki.squid- > cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate. This was > great to test everything and worked well. However, now I'm ready to put > this into a Production environment and I have to deal with the fact that we > are fundamentally a Windows house. > > They have already procured wildcard SSL certificates from Verisign, where > the original CSR was generated on a Windows server sent off to the CA > (Verisign) and then then the wildcard certificate returned to us. My question > is quite simple, how do I import the wildcard certificate into openssl on the > RP server? All the examples I've seen online assume that you're generating > the CSR on the proxy server itself but I don't have that luxury unfortunately. > > I know this is more of an OpenSSL question rather than pure Squid question, > I was just hoping that someone on the list has already done this and can give > me some advice. > > Thanks in advance. > > John > > > This email and any files transmitted with it are intended solely for the named > recipient and may contain sensitive, confidential or protectively marked > material up to the central government classification of ?RESTRICTED" which > must be handled accordingly. If you have received this e-mail in error, please > immediately notify the sender by e-mail and delete from your system, unless > you are the named recipient (or authorised to receive it for the recipient) > you are not permitted to copy, use, store, publish, disseminate or disclose it > to anyone else. > > > E-mail transmission cannot be guaranteed to be secure or error-free as it > could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or > contain viruses and therefore the Council accept no liability for any such > errors or omissions. > > > Unless explicitly stated otherwise views or opinions expressed in this email > are solely those of the author and do not necessarily represent those of the > Council and are not intended to be legally binding. > > > > All Council network traffic and GCSX traffic may be subject to recording > and/or monitoring in accordance with relevant legislation. > > > > South Tyneside Council, Town Hall & Civic Offices, Westoe Road, South > Shields, Tyne & Wear, NE33 2RL, Tel: 0191 427 1717, Website: > www.southtyneside.info
