Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality

From: Alex Crow <alex_at_nanogherkin.com>
Date: Tue, 27 May 2014 19:26:50 +0100

Hi,

You can't possibly do this. To ssl-bump you need access to a private key
to sign the certs you offer to clients. Not in a million years is a
Commercial CA going to give you their private key. Such a key can sign
any certificate which would then be trusted by any software that
includes GoDaddy's CA (ie IE, Firefox, Chrome etc).

You need to use OpenSSL to set up your own CA and use its private key in
Squid as the key to generate new certificates. And preferably install
your new CA cert into your users' certificate stores as a Trusted CA.

The private key is basically the thing that any CA has to keep the most
private for SSL to work. Providers like GoDaddy would probably have the
machine that holds the private keys for at least their Root CA on a
private network (if even it's networked at all) and use subordinate CAs
to issue certificates to their clients (ie you). Unless you are a very
large trusted organisation and jump through many hoops you will get a
subordinate signing key from a reputable commercial CA.

Otherwise, the internet and SSL would already be more borken than it is
right now ;-)

Alex

On 27/05/14 19:13, Antoine Klein wrote:
> Hi there,
>
> My boss give me a certificate purchased from Godaddy to intercept HTTPS request.
>
> squid.conf :
> http_port 3127 transparent
> http_port 3128
> https_port 3129 transparent ssl-bump cert=/etc/ssl/myGodaddyCertif.crt
> sslproxy_capath /etc/ssl/certs
>
> When i restart squid i have an error :
> ERROR: Failed to acquire SSL private key
> '/etc/ssl/myGodaddyCertif.crt': error:0906D06C:PEM
> routines:PEM_read_bio:no start line
>
> I haven't a private key, so is this normal ?
>
> Thanks !
>
Received on Tue May 27 2014 - 18:26:54 MDT

This archive was generated by hypermail 2.2.0 : Wed May 28 2014 - 12:00:06 MDT