[squid-dev] SSL: https_port cert option

[Meridoff]

Hello, I need to use my company's certificate as signing certificate in
'cert' argument of http_port/https_port options.

I can generate and use self-signed cert as said in Squid Manuals. All works
fine.

BUT, when I try to use my comanies cert with corrcet RSA private key -
error in squid occures:
FATAL: FATAL: No valid signing SSL certificate configured for HTTPS_port
192.168.1.1:3128

I've debugged some and recongized that

1.*readCertChainAndPrivateKeyFromFiles *() fails when call
X509_check_private_key(cert.get(), pkey.get()):
Warn/Err message: "X509_check_private_key() failed to verify signing cert2.

2.Openssl function  *X509_check_private_key*(cert.get(), pkey.get()) fails
with X509err(X509_F_X509_CHECK_PRIVATE_KEY, X509_R_KEY_VALUES_MISMATCH);

I've checked my cert private key with openssl util - it's OK.

Also my cert (which set in cert= option) is not self-signed and issued by
another cert. Whole cert chain is 3 certificates.

I've tryed to combine all 3 certs in 1 file in corrcet order:

-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: )
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

And other combinations too: separate private key from cert file and give it
in key= option.

No success - always the same error.

So questions:
1) How I can use my cert chain as RootCA cert for signing generated servers
certificates ?
2) Why such error occured?
3)May be there is requriment on such cert that it must be self-signed ?

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20181224/34f79ee4/attachment.html>