On 2025-12-05 09:50, Dieter Bloms wrote:
We have been using Squid with SSLBump for years.
The RootCA will expire next year, which is why we have already created a
new RootCA. Since there are still many proprietary clients that do not yet
have the new RootCA, I have two intermediate certificates (one from the
old and one from the new RootCA) two intermediate certificates for the
intermediate certificate using
the very same CSR.
Now I have copied these two certificates together with the private key
into a PEM file (first the certificates, then the key), but only the
first certificate is ever delivered.
IIRC, Squid sends the [intermediate] certificate that it used to
issue/sign the generated host/leaf certificate.
Is there a way to have the second certificate delivered as well
No, Squid does not send "extra" intermediate certificates (i.e.
certificates that are not necessary to complete the chain).
Sending "extras" would violation TLS protocol rules and cause
interoperability problems with some clients: RFC 8446 says that "The
sender's certificate MUST come in the first CertificateEntry in the
list. Each following certificate SHOULD directly certify the one
immediately preceding it."
so that
clients with the old RootCA and clients with the new RootCA can verify
the certificates issued by Squid?
Or is there a better solution in general if the certificates issued by
Squid are to be temporarily validated by two RootCAs?
It sounds like you are already cross-signing the intermediate
certificate, which is the right thing to do in this case.
You may provide intermediate certificate B to AIA-aware clients via AIA
in the leaf certificate issued by intermediate certificate A (where A
and B are cross-signed/issued by your two roots). Not all clients
support AIA, of course.
HTH,
Alex.
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
