With squid 4.x or even 3.5 you can use an intermediate CA. So you will have the root key and certificate somewhere safe and renew the intermediate root CA every year or two. The main root CA should be created at-least for a period of 5 years to allow this dynamicity you probably need. Eliezer * I have seen security companies( AV ) that updates their root ca certificate using the AV or agent, if running an update file/service every startup is an option we can try to find a nice solution. ---- <http://ngtech.co.il/main-en/> Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: <mailto:elie...@ngtech.co.il> elie...@ngtech.co.il
From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of Dmitry Melekhov Sent: Tuesday, January 15, 2019 07:02 To: squid-us...@squid-cache.org Subject: [squid-users] ssl bump, CA certificate renewal, how to? Hello! According to https://wiki.squid-cache.org/Features/DynamicSslCert recommended way to create certificate openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem we can create certificate for longer time. But sooner or later we'll have to renew it. In this case, once we replaced certificate, it should be immediately replaced on user's computers, not easy task, I don't sure it can be achieved in our environment. We had the same issue with openvpn, fortunately it can check certificates from several ca's places in the same file, so we had old and new certificates for some time. I don't know is it possible to do something similar with squid and dynamic certificate generation, I know it does not work now. Could you share your experience? How do you replace certificates? Thank you!
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users