On 20/12/18 1:13 am, Meridoff wrote: > Hello, when proxying https traffic squid needs self-signed cert. > No, Squid needs a certificate with properties compatible with the particular "proxying https" which your proxy is configured to do. Some of those uses require *a CA* certificate and key. Self-signed is the simplest type of CA certificate - anybody can create and use one for whatever they want. There are other types of CA certificate and any of them are are also usable in the situations where Squid simply needs a CA cert. > But what if I use not self-signed cert ? Depends on what type of certificate properties it *does* have. > I need to use cert of my > company which is not self-signed. Is it a CA certificate? probably not. Do you actually need a CA for the feature(s) you are trying to use? probably yes, maybe no. Please provide details of the config you are trying to setup so we can answer more accurately. Right now anybody saying yes, no or giving specific advice will have to be guessing about what you mean. > Is it possible ? May be I can use > capath= option for this.. No. The capath= option is for loading *multiple* CA certificates in OpenSSL. It does not change the type of certificates loaded. > Now squid complains: FATAL: No valid signing SSL certificate configured > for HTTPS_port 192.168.1.1:3128 <http://192.168.1.1:3128> > That message from Squid simply says the cert you are loading is not meeting the minimum requirements for the features you have configured in Squid. Yes that typically means one of the SSL-Bump features is being used and the cert is not a CA. But there are also other situations that message comes up, so please supply details about what you are actually trying to do. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
