[squid-users] Distribute root certificate to clients

Nicolas Kovacs info at microlinux.fr
Mon Mar 12 09:40:48 UTC 2018


Hi,

I have a few prospective clients who want/need to log and monitor all
their web traffic and asked me to find a viable solution for this.

After a couple of weeks of fiddling, I decided to opt for the
Squid+SquidAnalyzer setup, which works quite well. I have a sandbox
installation here in my office that already works quite satisfyingly.

While working out the solution (thanks again to you guys, you know who
you are), I took some extensive notes on my technical blog:

  * https://blog.microlinux.fr/squid-centos/

  * https://blog.microlinux.fr/squid-https-centos/

  * https://blog.microlinux.fr/squidanalyzer-centos/

  * https://blog.microlinux.fr/squid-exceptions/

I have yet one problem to tackle, and I already have a solution in mind.
Though I thought I'd rather ask here first, since this is a bit new to
me, and you guys have much more experience.

Most of my clients are small businesses with up to a few dozen client
PCs, and also wireless access.

The problem I'm currently facing is: how to provide an easy installation
of Squid's root certificate? During my tests, I wrote some short
instructions for my Linux clients with Firefox, Chrome and Konqueror:

https://blog.microlinux.fr/squid-https-centos/#navigateurs

Here's what I intend to do. Configure a local web page
http://proxy.company.lan where clients can download the certificate file
proxy.company.lan.der. This page also contains quick & dirty
instructions on how to install the certificate on the most popular
browsers/platforms (Chrome, Firefox, Safari, Internet Explorer).

Each company will also have a printed document, explaining how to access
the Internet. Something like this:

  1. Open http://proxy.company.lan in your browser.

  2. Download the proxy.company.lan.der certificate file.

  3. Follow instructions to import this file into your browser.

  4. Browse the web normally.

Before doing that, I thought I'd inquire how you guys go about that. As
a long-time Slackware user I've always been a fan of the KISS principle
(Keep It Simple Stupid), so I try to have a no-nonsense approach.

Any suggestions?

Cheers from the sunny South of France,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32


More information about the squid-users mailing list