I send back my post because i'm not sur it is sent... Ok thanks all ! I haven't in control of clients so it's the real problem, i can't install certificate on their smartphone ^^. So according to you, if i create a CA with openssl, and create a certification signing request (.csr) with a private key, and if i send my csr to a trusted authority to sign it, i could use it in squid without problem, then clients wouldn't have any warning ? I would like to be sure to avoid every problem. 2014-05-28 2:47 GMT-04:00 Alex Crow <alex@xxxxxxxxxxxxxxx>: > > On 28/05/14 03:43, Amos Jeffries wrote: >> >> On 28/05/2014 8:19 a.m., Antoine Klein wrote: >>> >>> I want to bump ssl connections, but without produce a warning of course. >>> >>> I read it is possible to generate a request of certification with a >>> key and send this file to an authority to sign it, do you know that ? >> >> Having your cert signed by a widely trusted certificate authority is one >> thing, and the basis of how TLS/SSL works. >> >> SSL-bump cannot be used with that type of key for the reasons Alex >> already mentioned. He also mentioned the steps you have to take instead >> to get it going. >> >> Amos >> > > Hi Antoine, > > You need to be a CA, ie have the CA private key, to be able to do this. If > you are in control of the clients and know how to use OpenSsl to create a CA > you can do this without paying any money to anyone. You simply create the CA > and use it and its private key in your ssl-bump configuration. > > http_port 3128 sslBump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem > > proxy.pem is your private key and CA certificate concatenated. > > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB > > The above line configures the crtd helpers that actually generate the certs > for the requests, see http://wiki.squid-cache.org/Features/DynamicSslCert > > Cheers > > Alex -- Antoine KLEIN
