Hi,
You can't possibly do this. To ssl-bump you need access to a private key
to sign the certs you offer to clients. Not in a million years is a
Commercial CA going to give you their private key. Such a key can sign
any certificate which would then be trusted by any software that
includes GoDaddy's CA (ie IE, Firefox, Chrome etc).
You need to use OpenSSL to set up your own CA and use its private key in
Squid as the key to generate new certificates. And preferably install
your new CA cert into your users' certificate stores as a Trusted CA.
The private key is basically the thing that any CA has to keep the most
private for SSL to work. Providers like GoDaddy would probably have the
machine that holds the private keys for at least their Root CA on a
private network (if even it's networked at all) and use subordinate CAs
to issue certificates to their clients (ie you). Unless you are a very
large trusted organisation and jump through many hoops you will get a
subordinate signing key from a reputable commercial CA.
Otherwise, the internet and SSL would already be more borken than it is
right now ;-)
Alex
On 27/05/14 19:13, Antoine Klein wrote:
Hi there,
My boss give me a certificate purchased from Godaddy to intercept HTTPS request.
squid.conf :
http_port 3127 transparent
http_port 3128
https_port 3129 transparent ssl-bump cert=/etc/ssl/myGodaddyCertif.crt
sslproxy_capath /etc/ssl/certs
When i restart squid i have an error :
ERROR: Failed to acquire SSL private key
'/etc/ssl/myGodaddyCertif.crt': error:0906D06C:PEM
routines:PEM_read_bio:no start line
I haven't a private key, so is this normal ?
Thanks !
