On 30/01/2015 1:43 p.m., Christian Kundela wrote: > Dear all, > > I have problems setting up explicit proxy. (interrcept tcp 80 no problem) > > If i doaself signed Cert, and i install it in Firefox or IE, no problem. > > but if i use a CA-Cert i am using a signed cert from cacert.org, SSl > Site only TXT loaded and no pictures ... this i know, when something is > wrong with keyor else ? > (Install also all certs from cacert.org (also Firefox addons)) Something is definitely wrong with your understanding of TLS/SSL. You are not alone in this, we get people every few weeks asking about this same "problem". > > Key, CSR is generatedwith: > openssl genrsa -out /etc/squid/squid.key 2048 > openssl req -new -key /etc/squid/squid.key -out /etc/squid/squid.csr > > Signed on the sitecacert.org.TXT put into /etc/squid/squid.crt > > My question: what CA Cert Squid expects ? wildcard * ? as common name i > choose www.mydomain.net (is an example, for csr i used my real domain > name). SSL-Bump cert generator requires both public and *private* security key for a CA which is eligible to generate signed certificates. To do what you are trying with a cacert.org signed certificate chain you would need to have a copy of the private key belonging to cacert.org. Or, to somehow convince them to grant *you* the same worldwide powers and responsibilities that the global Trusted CA organisations have. I hope you can see why that is not possible? > > How can trace this Problem (debug)or is the Cert wrong ?i stuck here ... > Use the self-signed cert in the way that you found works. There are two situations where certificate generation is potentially legitimately used: 1) if you have legal authority to install your self-signed CA into the client browser, - cacert.org and other Trusted CA organisations are unnecessary. 2) if you own the domain being visited and are only delivering the cert cacert.org verified as belonging to you. - interception of the traffic is unnecessary. In neither situation do a Trusted CA signed certificate and interception happen together. Definitely do check up your local laws. Some countries its outright illegal to use that Squid feature, others require a govt license, etc. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
