[squid-dev] SSL: https_port cert option

Alex Rousskov rousskov at measurement-factory.com
Mon Dec 24 18:09:00 UTC 2018 

On 12/24/18 5:38 AM, Meridoff wrote:
> Hello, I need to use my company's certificate as signing certificate in
> 'cert' argument of http_port/https_port options.

Since you have mentioned http_port (above) and "generated certificates"
(lower), I assume you are using SslBump.

Is your signing certificate a CA certificate? If not, then you cannot
use it to sign other certificates. SslBump with dynamic certificate
generation requires a CA certificate to sign generated certificates.

CA certificates have a "true" CA basic constraint:

$ openssl x509 -in cert.pem -noout -text | grep -A1 'Basic Constraints'
            X509v3 Basic Constraints:
                CA:TRUE


> when I try to use my comanies cert with corrcet RSA private key -
> error in squid occures:
> FATAL: FATAL: No valid signing SSL certificate configured for HTTPS_port
> 192.168.1.1:3128 <http://192.168.1.1:3128>
> 
> I've debugged some and recongized that
> 
> 1.*readCertChainAndPrivateKeyFromFiles *() fails when call
> X509_check_private_key(cert.get(), pkey.get()):
> Warn/Err message: "X509_check_private_key() failed to verify signing cert2.
> 
> 2.Openssl function  *X509_check_private_key*(cert.get(), pkey.get())
> fails with X509err(X509_F_X509_CHECK_PRIVATE_KEY,
> X509_R_KEY_VALUES_MISMATCH);

If your signing certificate is a CA certificate, then you may want to
research why OpenSSL thinks that your private key does not match your
signing certificate.


> I've checked my cert private key with openssl util - it's OK.
> 
> Also my cert (which set in cert= option) is not self-signed and issued
> by another cert. Whole cert chain is 3 certificates.
> 
> I've tryed to combine all 3 certs in 1 file in corrcet order:
> 
> -----BEGIN RSA PRIVATE KEY-----
> (Your Private Key: your_domain_name.key)
> -----END RSA PRIVATE KEY-----
> -----BEGIN CERTIFICATE-----
> (Your Primary SSL certificate: your_domain_name.crt)
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> (Your Intermediate certificate: )
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> (Your Root certificate: TrustedRoot.crt)
> -----END CERTIFICATE-----
> 
> 
> And other combinations too: separate private key from cert file and give
> it in key= option.
> 
> No success - always the same error.
> 
> So questions:
> 1) How I can use my cert chain as RootCA cert for signing generated
> servers certificates?

N.B. Do not call a chain "Root". It is misleading because a chain has
both Root and non-Root certificates.

The first step is to make sure that it is a CA certificate.


> 2) Why such error occured?

I do not know, but see above for the first thing to check. You can also
use OpenSSL to sign some new certificate; does that work?


> 3) May be there is requriment on such cert that it must be self-signed ?

No, there is not.


HTH,

Alex.

More information about the squid-dev mailing list