[squid-users] squid https: using non-self-signed cert

[Amos Jeffries]

On 20/12/18 1:13 am, Meridoff wrote:
> Hello, when proxying https traffic squid needs self-signed cert.
> 

No, Squid needs a certificate with properties compatible with the
particular "proxying https" which your proxy is configured to do.


Some of those uses require *a CA* certificate and key. Self-signed is
the simplest type of CA certificate - anybody can create and use one for
whatever they want.

There are other types of CA certificate and any of them are are also
usable in the situations where Squid simply needs a CA cert.



> But what if I use not self-signed cert ?

Depends on what type of certificate properties it *does* have.


>  I need to use cert of my
> company which is not self-signed.

Is it a CA certificate? probably not.

Do you actually need a CA for the feature(s) you are trying to use?
 probably yes, maybe no.

Please provide details of the config you are trying to setup so we can
answer more accurately. Right now anybody saying yes, no or giving
specific advice will have to be guessing about what you mean.


> Is it possible ? May be I can use
> capath= option for this..

No. The capath= option is for loading *multiple* CA certificates in
OpenSSL. It does not change the type of certificates loaded.


> Now squid complains: FATAL: No valid signing SSL certificate configured
> for HTTPS_port 192.168.1.1:3128 <http://192.168.1.1:3128>
> 

That message from Squid simply says the cert you are loading is not
meeting the minimum requirements for the features you have configured in
Squid.

Yes that typically means one of the SSL-Bump features is being used and
the cert is not a CA. But there are also other situations that message
comes up, so please supply details about what you are actually trying to do.

Amos