From: http://wiki.squid-cache.org/Features/DynamicSslCert "In theory, you must either import your root certificate into browsers or instruct users on how to do that. Unfortunately, it is apparently a common practice among well-known Root CAs to issue subordinate root certificates. If you have obtained such a subordinate root certificate from a Root CA already trusted by your users, you do not need to import your certificate into browsers. However, going down this path may result in removal of the well-known Root CA certificate from browsers around the world. Such a removal will make your local SslBump-based infrastructure inoperable until you import your certificate, but that may only be the beginning of your troubles. Will the affected Root CA go after you to recoup their world-wide damages? What will your users do when they learn that you have been decrypting their traffic without their consent?" The last sentence is ambiguous the users can known, you can inform that you have been decrypting their traffic. There is no difference (from user point of view I mean) between a well-known Root CAs or a self-signed certificate with a CA injected by a local GPO. But in practice I don't how how you can do that, just hello I want a subordinate root certificates ? FredB _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users