15.01.2019 20:52, [email protected] пишет:
With squid 4.x or even 3.5 you can use an intermediate CA.
So you will have the root key and certificate somewhere safe and renew
the intermediate root CA every year or two.
The main root CA should be created at-least for a period of 5 years to
allow this dynamicity you probably need.
Eliezer
5 years, really, not very long period of time, if I'll be sure to not
work here in 5 years then I'll use this ;-) , unfortunately I'm not :-(
I don't need to replace certificate every year or so, but I need to have
minimal service interruption for every user during certificate replacement,
and I'm sure that certificate will need replacement for some reason.
* I have seen security companies( AV ) that updates their root ca
certificate using the AV or agent, if running an update
file/service every startup is an option we can try to find a nice
solution.
Download certificate at every boot or user login....
This is good idea, thank you!
*
----
Eliezer Croitoru <http://ngtech.co.il/main-en/>
Linux System Administrator
Mobile: +972-5-28704261
Email: [email protected] <mailto:[email protected]>
cid:[email protected]
*From:*squid-users <[email protected]> *On
Behalf Of *Dmitry Melekhov
*Sent:* Tuesday, January 15, 2019 07:02
*To:* [email protected]
*Subject:* [squid-users] ssl bump, CA certificate renewal, how to?
Hello!
According to
https://wiki.squid-cache.org/Features/DynamicSslCert
recommended way to create certificate
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509
-extensions v3_ca -keyout myCA.pem-out myCA.pem
we can create certificate for longer time.
But sooner or later we'll have to renew it.
In this case, once we replaced certificate, it should be immediately
replaced on user's computers,
not easy task, I don't sure it can be achieved in our environment.
We had the same issue with openvpn, fortunately it can check
certificates from several ca's places in the same file,
so we had old and new certificates for some time.
I don't know is it possible to do something similar with squid and
dynamic certificate generation,
I know it does not work now.
Could you share your experience? How do you replace certificates?
Thank you!
_______________________________________________
squid-users mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-users
