Re: ssl bump, CA certificate renewal, how to?

Dmitry Melekhov <dm@xxxxxxxxxx> · Tue, 15 Jan 2019 21:01:46 +0400



    15.01.2019 20:52, eliezer@xxxxxxxxxxxx
      пишет:

    
        With
              squid 4.x or even 3.5 you can use an intermediate CA.
        So
              you will have the root key and certificate somewhere safe
              and renew the intermediate root CA every year or two.
         
        The
              main root CA should be created at-least for a period of 5
              years to allow this dynamicity you probably need.
         
        Eliezer
      
    
    5 years, really, not very long period of time, if I'll be sure to
      not work here in 5 years then I'll use this ;-) , unfortunately
      I'm not :-(

    
    I don't need to replace certificate every year or so, but I need
      to have minimal service interruption for every user during
      certificate replacement,
    and I'm sure that certificate will need replacement for some
      reason.

    
          I
                have seen security companies( AV ) that updates their
                root ca certificate using the AV or agent, if running an
                update file/service every startup is an option we can
                try to find a nice solution.
        
      
    Download certificate at every boot or user login....

    
    This is good idea, thank you!
    

          ----
          Eliezer Croitoru

                Linux System Administrator

                Mobile: +972-5-28704261

                Email: eliezer@xxxxxxxxxxxx
          
        
            From: squid-users
                  <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Dmitry
                  Melekhov

                  Sent:
                  Tuesday, January 15, 2019 07:02

                  To:
                  squid-users@xxxxxxxxxxxxxxx

                  Subject:
                   ssl bump, CA certificate renewal, how
                  to?
          
        
        Hello!
        According  to 
        https://wiki.squid-cache.org/Features/DynamicSslCert
        recommended way to create
              certificate 
        openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out myCA.pem
         
        we can create certificate for longer time.
         
        But sooner or later we'll have to renew it.
         
        In this case, once we replaced certificate, it should be immediately replaced on user's computers,
        not easy task, I don't sure it can be achieved in our environment.
         
        We had the same issue with openvpn, fortunately it can check certificates from several ca's places in the same file,
        so we had old and new certificates for some time.
         
        I don't know is it possible to do something similar with squid and dynamic certificate generation,
        I know it does not work now.
         
        Could you share your experience? How do you replace certificates?
         
        Thank you!
         
         
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users