Search squid archive

Re: 4.9 https isue...unable import certificate in browser

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10.12.19 05:19, aw_wolfe wrote:

I have squid 4.9 built with https support in which I created a certificate
following tutorial. Squid starts, appears to be running fine. http whitelist
with user groups working....trying to add https support.

copy/paste from example of what I did to create certificate.

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions
v3_ca -keyout myCA.pem  -out myCA.pem


here you create the authority with both the key and certificate in myCA.pem
using OpenSSL


certtool --generate-privkey --outfile ca-key.pem

certtool --generate-self-signed --load-privkey ca-key.pem --outfile myCA.pem


here you overwrite it by GnuTLS commands...
you misunderstood: These commands are alternative to openssl commands.


openssl x509 -in myCA.pem -outform DER -out myCA.der



1) problem when trying to import myCA.der certificate into firefox: "This is
not a certificate authority certificate, so it can’t be imported into the
certificate authority list"


try without certtool commands. According to my experience, that openssl
command should produce correct CA certificate, I don't know about certtool
commands.

note that:
1. you can import myCA.pem at least into firefox (iirc) 2. you should not copy myCA.pem containing CA private key anywhere. 


2) My goal is simply to whitelist sites, I do not have a need to view the
traffic. Is following ssl-bump examples the right/only approach or is easier
way to let the client connect directly, but preventing any connection except
if on the whitelist?


you don't need to generate own certificate for this reason.
Configuring squid to stare at SSL connections should be enough.

--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux