Squid - Proxy certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid - Proxy certificate

Walter H.
Hello,

can someone give me an example of the certificate, that is used here:

http_port 3128 ssl-bump cert=/etc/squid/cert/cert.pem

I'm using the latest CentOS release (6.5) with squid 3.1.10

I generated one with this:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj
"/CN=dnsname/C=--/O=my Org/OU=my Squid server" -keyout cert.pem -out
cert.pem

in case I generate a CA cert and this one and install the CA cert in my
browser (FF);
does this help to remove the "The Connection is untrusted" messages of
my browser (FF)?

Thanks,
Walter




smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Squid - Proxy certificate

Dave Thompson-5
> From: owner-openssl-users On Behalf Of Walter H.
> Sent: Thursday, December 05, 2013 23:42

> can someone give me an example of the certificate, that is used here:
>
> http_port 3128 ssl-bump cert=/etc/squid/cert/cert.pem
>
> I'm using the latest CentOS release (6.5) with squid 3.1.10
>
> I generated one with this:
>
> openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj
> "/CN=dnsname/C=--/O=my Org/OU=my Squid server" -keyout cert.pem -out
> cert.pem
>
That generates a self-signed cert (and matching key) for your server.

> in case I generate a CA cert and this one and install the CA cert in my
> browser (FF);
> does this help to remove the "The Connection is untrusted" messages of
> my browser (FF)?
>
Those are different cases.

If you import to Firefox the self-signed server cert created above
then it will trust a server using that cert.

If you generate a self-signed (root) CA cert & key, and use those
to sign (issue) another cert or certs such as one for your server,
and import the CA cert to Firefox, then a server using any cert
under that CA is trusted.

Pick one.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]