[squid-users] Using a Baltimore root certificate in transparent ssl proxying

Tue Apr 28 08:42:27 UTC 2020

On Monday 27 April 2020 at 23:44:41, Lei Wen wrote:

> The issue we are having right now is the certificate installed on the
> container is a self signed cert, we were trying to migrate this cert to a
> real trusted CA cert, or a Baltimore root cert.

That will not work for an intercepting ("transparent") proxy.

> I do notice that it is illegal for a trusted CA to issue official cert to
> squid because squid itself is man-in-the-middle, so Squid can only accept
> self signed cert and squid as root CA?

This is correct.

Squid is acting as a man-in-the-middle for *any* web request your users choose 
to pass through it, therefore it has to present a certificate to their browser 
which is valid for whatever domain they have requested.

In effect, it would need a wildcard certificate for the entire Internet.

No CA is going to give you that.

Regards,

Antony.

-- 
"How I managed so long without this book baffles the mind."

 - Richard Stoakley, Group Program Manager, Microsoft Corporation,
   referring to "The Art of Project Management", O'Reilly press

                                                   Please reply to the list;
                                                         please *don't* CC me.