[squid-users] squid2.6.STABLE21: reverse proxy+chained SSL certificates

From: Joaquín Puga <jpdelrio_at_gmail.com>
Date: Fri, 22 May 2009 12:12:40 -0700

Hi everybody.

We are running squid2.6.STABLE21 as a reverse proxy. Verisign does not
issue unchained certificates anymore, so we have to use a chained one.
I have been researching how to configure squid to use the chained
certs, but I'd like that someone could confirm whether I'm right or
wrong.

1) squid2.6.STABLE21 supports chained certificates
2) This is our current https_port with the unchained cert:
     https_port x.y.w.z:443 cert=/etc/squid/certs/ww1.pem
key=/etc/squid/certs/ww1key.pem version=1 accel vhost

In this thread (http://www.squid-cache.org/mail-archive/squid-users/200509/0289.html)
Henrik mentions:

"Certificate chains is supported by Squid-3 or the SSL update patch to
Squid-2.5. You then enable the use of chained certificates by
appending the CA certificate to your server certificate, both in the
same file with the server certificate first and followed by the CA
certificate chain."

This means I just have to download the X.509 CA intermediate cert.,
the chained cert., and put both together in /etc/squid/certs/ww1.pem.
Then it should work, right? Is there anything else I need to do?

Regards,

Joaquin.
Received on Fri May 22 2009 - 19:12:49 MDT

This archive was generated by hypermail 2.2.0 : Sat May 23 2009 - 12:00:02 MDT