Thank you amos so much So far I didn’t add CA to my browser And I followed many docs about how to create the .key file and .crt file but always I get( ssl negotiation error) What could be the problem Where should I check and troubleshoot ? BTW I have the directive https_port 443 accel key=/root/CA/myCA/private/squid.local.key cert=/root/CA/myCA/certs/squid.local.crt where shoud I troubleshoot ? appreciate your help a lot for start I want to start with self signed certificate but later I will buy a valid certificate hope to help me cheers -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Amos Jeffries Sent: Thursday, May 21, 2015 6:01 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: https quick question On 22/05/2015 9:09 a.m., snakeeyes wrote: > Hi , > > I WANT TO ESTABLISH squid https reverse proxy on squid > > > > Assume I configured and the keys xxxxx.crt & xxxxx.key needed for the > directive > > https_port 443 accl cert=/etc/squid/ssl/xxxx.crt > key=/etc/squid/ssl/xxxx.key vhost > > > > the question is being asked now > > > > do I need to add a certificate in my browser to get it work ? No. > > if so , what key shoud I add ? the .cert file or the .key file ? If it was signed by a global truted CA then you dont have to do anything more. Making it work for clients is what you are paying the CA for. If those keys were signed by a custom CA you can optionally add *that CA* to the browser trusted set. Or the user could click to add exception when they get their popup. Some of the browsers now are ignoring self-signed certs (provided they are valid to the server being contacted). Or you could add TLSA records to your DNS for the domain. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
