Dear All! I've also a problem running ssl-bump with an intermediate CA using a signed certificate from a CA. My setup is as follows: squid-3.3.3-20130418-r12525 with - https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid33/ssl_cert/server.pem key=/etc/squid33/ssl_cert/key.pem - ssl_bump server-first all - sslproxy_cert_error allow all - sslproxy_cert_adapt setCommonName ssl::certDomainMismatch following the rules http://wiki.squid-cache.org/Features/MimicSslServerCert This is working fine when using my self generated CA for signing the requests, however I want to get rid of the browser warning so I try to use a CA already recognized in the browser, what should be possible following this ticket: http://bugs.squid-cache.org/show_bug.cgi?id=3426 (already mentioned) But no matter what I do I can't get rid of the browser warning. If I use a self signed root CA or certificate squid detects it is self signed and does not append any intermediate CA or other chain. If I generate an csr and send it to a CA I get back an .crt and an intermediate-bundle, pack them up with the key in a single .pem file and restart squid - then a chain is displayed in the browser but now with one 'cert' to much (imho) and marked as invalid. Firefox reports sec_error_unknown_issuer, safari says invalid chain length For example in the browser details it looks like this: RootCA (which is marked fine by the browser) -> Intermediate CA (marked invalid) -> Certificate signed and created by the csr (marked invalid) -> fake certificate created by squid for the requested site (marked invalid) If anyone has a running setup without importing the self-signed CA to all browsers please let me know. Thanks for any feedback, Alex
