On 19/10/2012 2:36 a.m., Jesse Smith wrote:
Thanks Amos, our purpose is to dynamically generate all our domain
certs so only one IP address has to be used. But, my understanding is,
that you cannot use a commercial CA for dynamically signing the cert,
which makes sense as they would not give out their private key.
Can you use a commercial root CA to sign dynamically generated certs?
Yes you can - provided you have the private CA cert key to sign with.
If this is actually a reverse-proxy serving your own domains there is no
need for the "intercept" flags. Please set it up as an reverse proxy
properly with "accel" mode flags. ssl-bump flag and certificate
generation should still work okay - its has not had much testing for
that mode combination but should be expected to work fine. Any bugs you
find in its behaviour please notify the developers via bugzills
(bugs.squid-cache.org).
Amos