[squid-users] ssl bump, CA certificate renewal, how to?
Dmitry Melekhov
dm at belkam.com
Tue Jan 15 17:01:46 UTC 2019
15.01.2019 20:52, eliezer at ngtech.co.il пишет:
>
> With squid 4.x or even 3.5 you can use an intermediate CA.
>
> So you will have the root key and certificate somewhere safe and renew
> the intermediate root CA every year or two.
>
> The main root CA should be created at-least for a period of 5 years to
> allow this dynamicity you probably need.
>
> Eliezer
>
5 years, really, not very long period of time, if I'll be sure to not
work here in 5 years then I'll use this ;-) , unfortunately I'm not :-(
I don't need to replace certificate every year or so, but I need to have
minimal service interruption for every user during certificate replacement,
and I'm sure that certificate will need replacement for some reason.
> * I have seen security companies( AV ) that updates their root ca
> certificate using the AV or agent, if running an update
> file/service every startup is an option we can try to find a nice
> solution.
>
Download certificate at every boot or user login....
This is good idea, thank you!
> *
>
> ----
>
> Eliezer Croitoru <http://ngtech.co.il/main-en/>
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il <mailto:eliezer at ngtech.co.il>
>
> cid:image001.png at 01D2675E.DCF360D0
>
> *From:*squid-users <squid-users-bounces at lists.squid-cache.org> *On
> Behalf Of *Dmitry Melekhov
> *Sent:* Tuesday, January 15, 2019 07:02
> *To:* squid-users at squid-cache.org
> *Subject:* [squid-users] ssl bump, CA certificate renewal, how to?
>
> Hello!
>
> According to
>
> https://wiki.squid-cache.org/Features/DynamicSslCert
>
> recommended way to create certificate
>
> openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509
> -extensions v3_ca -keyout myCA.pem-out myCA.pem
> we can create certificate for longer time.
> But sooner or later we'll have to renew it.
> In this case, once we replaced certificate, it should be immediately
> replaced on user's computers,
> not easy task, I don't sure it can be achieved in our environment.
> We had the same issue with openvpn, fortunately it can check
> certificates from several ca's places in the same file,
> so we had old and new certificates for some time.
> I don't know is it possible to do something similar with squid and
> dynamic certificate generation,
> I know it does not work now.
> Could you share your experience? How do you replace certificates?
> Thank you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190115/2b6dfb88/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11295 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190115/2b6dfb88/attachment-0001.png>
More information about the squid-users
mailing list