[squid-users] 4.9 https isue...unable import certificate in browser

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Dec 10 11:30:07 UTC 2019

On 10.12.19 05:19, aw_wolfe wrote:
>I have squid 4.9 built with https support in which I created a certificate
>following tutorial. Squid starts, appears to be running fine. http whitelist
>with user groups working....trying to add https support.
>copy/paste from example of what I did to create certificate.
>openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions
>v3_ca -keyout myCA.pem  -out myCA.pem

here you create the authority with both the key and certificate in myCA.pem
using OpenSSL

>certtool --generate-privkey --outfile ca-key.pem
>certtool --generate-self-signed --load-privkey ca-key.pem --outfile myCA.pem

here you overwrite it by GnuTLS commands...
you misunderstood: These commands are alternative to openssl commands.

>openssl x509 -in myCA.pem -outform DER -out myCA.der

>1) problem when trying to import myCA.der certificate into firefox: "This is
>not a certificate authority certificate, so it can’t be imported into the
>certificate authority list"

try without certtool commands. According to my experience, that openssl
command should produce correct CA certificate, I don't know about certtool

note that:
1. you can import myCA.pem at least into firefox (iirc) 
2. you should not copy myCA.pem containing CA private key anywhere.

>2) My goal is simply to whitelist sites, I do not have a need to view the
>traffic. Is following ssl-bump examples the right/only approach or is easier
>way to let the client connect directly, but preventing any connection except
>if on the whitelist?

you don't need to generate own certificate for this reason.
Configuring squid to stare at SSL connections should be enough.

Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95

More information about the squid-users mailing list