I am also interested in understanding the issue. Can squid send the certificate chain as a part of the negotiation? Apache is able to do that, so I think the underlining openssl is not the problem. This may require new configure option in the ssl_bump to tell squid where the certificate chain file is.
Ming > -----Original Message----- > From: Lindsay Hill [mailto:linds...@makonetworks.com] > Sent: Tuesday, June 07, 2011 11:31 PM > To: squid-users@squid-cache.org > Subject: Re: [squid-users] SSLBump and intermedia CA Certificate. > > On 06/08/2011 02:52 PM, Amos Jeffries wrote: > > On Tue, 07 Jun 2011 11:54:52 +0200, Paweł Mojski wrote: > >> Hi all. > >> > >> Finally I successful implemented ssl-bump with dynamic certificate > >> generation feature. > >> But, I don't know how to configure squid to use intermediate ca > >> certificate. > >> I generated Root CA, then using Root CA i signed Intermediate CA > >> certificate and now, I want squid to use this Intermediate CA > >> Certificate while generating certs for https connections. > >> Then I want to import Root CA certificate into Windows PKI to solve > >> "Unknown CA" error while surfing https pages. > >> How can I do that? > > > > The client must have a full chain of trust from the root all the way > > down to the end certificate during the transactions. I think you may > > find that signing with an intermediate CA needs to install both the > > root and the intermediate public CA on the clients. > > > > > >> I'm looking around cafile, capath of ssl-bump options but nothing > >> works for me. > > > > http://wiki.squid-cache.org/Features/SslBump > > > > To squid there is only the cert PEM you told it to sign with. > > > > Amos > > > > This matches up with what I've seen so far with my testing - I thought I > might be able to get it to provide the full certificate chain to users, > by playing around with the cafile settings, but no joy. Since all my > browsers already trust my root CA, I thought that creating an > intermediate CA for use by Squid would be sufficient. But no, I've had > to install the intermediate CA on my browsers too. Feature request I > guess? > > - Lindsay
