Thanks Jay! Very informative. Dan On 12 May 2014, at 6:02 pm, Jay Jimenez <jay@xxxxxxxxxxxxxxx> wrote: > Dan, > > Our browsers have very few and selected trusted CAs which are also > stored in our Trusted Root Certification Authorities. Install an > internal root CA by Microsoft Certificate Services and generate the > CA. After generating the CA certificate make sure that you roll out > the certificate via GPO > > Computer Configuration -> Windows Settings -> Security Setting -> > Public Key Policies -> Trusted Publishers and add your cert to the > "Trusted Root Certification Authorities" > > Once you have the root CA certificate installed in each computer, all > subordinate CA will be trusted automatically. In this case, We plan to > have your squid box to have a SUBORDINATE CA signed by your ROOT CA. > (I hope you see the chain of authority here) > > > Go to your squidbox and generate your .key file and certificate request .csr. > > openssl genrsa -out yourkey.key 1024 > > openssl req -new -key yourkey.key -out yourkey.csr > > > copy the content of your .csr file to your root CA web enrollment > service(make sure the web enrollment is installed), choose advanced > certificate request. Paste the content of your .csr file and choose > "SUBORDINATE Certification Authority" > > Click submit and download the Base64 encoded certificate file (NOT the > Der encoded) > > > Use the downloaded .cer file and your .key file to your squid SSL bump > > Your SQUID has now the subordinate CA and any certificate generated by > Squid will be trusted automatically because the issuer of Squid's Sub > CA is your domain root CA. > > > *Our organization has existing internal PKI that we're currently using > for our Microsoft NPS/802.1x. That keeps us out from headache by > installing a new self-signed CA to each computer for Squid SSL > bumping. > > > > > Regards, > Jay > > > > > > > > > On Mon, May 12, 2014 at 3:06 PM, Dan Charlesworth <dan@xxxxxxxxxxx> wrote: >> I for one would welcome you explaining this set up a little bit. Definitely relevant to my interests. >> >> Thanks! >> Dan >> >> On 12 May 2014, at 4:56 pm, Jay Jimenez <jay@xxxxxxxxxxxxxxx> wrote: >> >>> Tom, >>> >>> If your proxy users and computers are members of Active Directory >>> Domain, you might want to use your existing internal AD public key >>> infrastructure. The reason for this is that domain computers already >>> trust the CA of your AD. I can explain the setup a little bit if this >>> is the kind of IT environment you have. The main advantage of this >>> setup is you don't need to install a self-signed CA by squid in each >>> computer. >>> >>> Jay >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> On Mon, May 12, 2014 at 2:41 PM, Tom Holder <tom@xxxxxxxxxxxxxxx> wrote: >>>> Hi Amos, >>>> >>>> Thanks for that. Yes I understand the legalities, this isn't to >>>> 'forge' anything. The users are well aware they're not looking at the >>>> real sites. >>>> >>>> The CA will be installed on their systems and they will have to agree >>>> to it. The issue is that the browser is complaining that the CN does >>>> not match because my local web server that represents ANY site has a >>>> catch all CN. Therefore I'm trying to determine a way to generate the >>>> correct CN before Squid tries to bump the SSL so that the CN is nearly >>>> correct. >>>> >>>> The certificates I generate don't need to look like the original >>>> because I'm not trying to trick anyone, they just need not to error in >>>> the browser. >>>> >>>> Thanks, >>>> Tom >>>> >>>> On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>>>> On 12/05/2014 9:42 a.m., Tom Holder wrote: >>>>>> Thanks for your help Walter, problem is, which I wasn't too clear >>>>>> about, site1.com was just an example. It could be any site that I >>>>>> don't previously know the address for. >>>>>> >>>>>> Therefore, the only thing I can think of is to dynamically generate a >>>>>> self-signed cert. >>>>> >>>>> One of the built-in problems with forgery is that one must have an >>>>> original to work from in order to get even a vague resemblence of >>>>> correctness. Don't fool yourself into thinking SSL-bump is anything >>>>> other than high-tech forgery of the website ownser security credentials. >>>>> >>>>> OR ... with a blind individual doing the checking it does not matter. >>>>> >>>>> (Un)luckily the system design for SSL and TLS as widely used today >>>>> places a huge blindfold (the trusted CA set) on the client software. So >>>>> all one has to do is install the signing CA for the forged certificates >>>>> as one of those CA and most anything becomes possible. >>>>> ... check carefully the legalities of doing this before doing anything. >>>>> In some places even experimenting is a criminal offence. >>>>> >>>>> Amos >>>>> >>>> >>>> >>>> >>>> -- >>>> Tom Holder >>>> Systems Architect >>>> >>>> >>>> Follow me on: [Twitter] [Linked In] >>>> >>>> www.Simpleweb.co.uk >>>> >>>> Tel: 0117 922 0448 >>>> >>>> Simpleweb Ltd. >>>> Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT >>>> >>>> Simpleweb Ltd. is registered in England. >>>> Registration no: 5929003 : V.A.T. registration no: 891600913 >>
