On 06/08/2011 02:52 PM, Amos Jeffries wrote:
On Tue, 07 Jun 2011 11:54:52 +0200, PaweÅ Mojski wrote:
Hi all.
Finally I successful implemented ssl-bump with dynamic certificate
generation feature.
But, I don't know how to configure squid to use intermediate ca
certificate.
I generated Root CA, then using Root CA i signed Intermediate CA
certificate and now, I want squid to use this Intermediate CA
Certificate while generating certs for https connections.
Then I want to import Root CA certificate into Windows PKI to solve
"Unknown CA" error while surfing https pages.
How can I do that?
The client must have a full chain of trust from the root all the way
down to the end certificate during the transactions. I think you may
find that signing with an intermediate CA needs to install both the
root and the intermediate public CA on the clients.
I'm looking around cafile, capath of ssl-bump options but nothing
works for me.
http://wiki.squid-cache.org/Features/SslBump
To squid there is only the cert PEM you told it to sign with.
Amos
This matches up with what I've seen so far with my testing - I thought I
might be able to get it to provide the full certificate chain to users,
by playing around with the cafile settings, but no joy. Since all my
browsers already trust my root CA, I thought that creating an
intermediate CA for use by Squid would be sufficient. But no, I've had
to install the intermediate CA on my browsers too. Feature request I guess?
- Lindsay
