]>
Commit | Line | Data |
---|---|---|
bb2b9f7e AJ |
1 | .if !'po4a'hide' .TH ssl_crtd 8 |
2 | . | |
3 | .SH NAME | |
d632afde | 4 | ssl_crtd \- SSL certificate generator for Squid. |
bb2b9f7e AJ |
5 | .PP |
6 | Version 1.0 | |
7 | . | |
8 | .SH SYNOPSIS | |
9 | .if !'po4a'hide' .B ssl_crtd | |
10 | .if !'po4a'hide' .B [\-dhv] | |
11 | . | |
12 | .if !'po4a'hide' .B ssl_crtd | |
13 | .if !'po4a'hide' .B "[\-d] -s " | |
14 | directory | |
15 | .if !'po4a'hide' .B [\-M | |
16 | size | |
17 | .if !'po4a'hide' .B ] | |
18 | . | |
19 | .if !'po4a'hide' .B ssl_crtd | |
20 | .if !'po4a'hide' .B "[\-d] \-c \-s " | |
21 | directory | |
22 | .if !'po4a'hide' .B [\-n] | |
23 | serial number | |
24 | . | |
25 | .if !'po4a'hide' .B ssl_crtd | |
26 | .if !'po4a'hide' .B "[\-d] \-g \-s " | |
27 | directory | |
28 | . | |
29 | .SH DESCRIPTION | |
30 | .B ssl_crtd | |
31 | is an installed binary. | |
32 | .PP | |
33 | Because the generation and signing of SSL certificates takes time | |
34 | Squid must use external process to handle the work. | |
35 | . | |
36 | This process generates new SSL certificates and uses a disk cache of certificatess | |
37 | to improve response times on repeated requests. | |
38 | Communication occurs via TCP sockets bound to the loopback interface. | |
39 | . | |
40 | .SH OPTIONS | |
41 | .if !'po4a'hide' .TP 12 | |
42 | .if !'po4a'hide' .B \-b fs_block_size | |
43 | File system block size in bytes. Needed for processing natural size of certificate on disk. | |
44 | Default value is 2048 bytes. | |
45 | . | |
46 | .if !'po4a'hide' .TP | |
47 | .if !'po4a'hide' .B \-c | |
48 | Initialize the SSL storage database and exit. | |
49 | Requires the | |
50 | .B -s | |
51 | option to determine the storage location being created. | |
52 | . | |
53 | .if !'po4a'hide' .TP | |
54 | .if !'po4a'hide' .B \-d | |
55 | Write debug info to stderr. | |
56 | . | |
57 | .if !'po4a'hide' .TP | |
58 | .if !'po4a'hide' .B \-g | |
59 | Display the current serial number using stderr and exit. | |
60 | Requires | |
61 | .B \-s | |
62 | option to determine which storage directory the serial is located in. | |
63 | . | |
64 | .if !'po4a'hide' .TP | |
65 | .if !'po4a'hide' .B \-h | |
66 | Display the binary help and command line syntax info using stderr. | |
67 | . | |
68 | .if !'po4a'hide' .TP | |
69 | .if !'po4a'hide' .B \-s directory | |
70 | Directory path of disk storage for new SSL certificates. | |
71 | . | |
72 | .if !'po4a'hide' .TP | |
73 | .if !'po4a'hide' .B \-M size | |
74 | Maximum size of SSL certificate disk storage. | |
75 | . | |
76 | .if !'po4a'hide' .TP | |
77 | .if !'po4a'hide' .B \-n serial number | |
78 | HEX | |
79 | .B "serial number " | |
80 | to use when initializing an SSL storage database. | |
81 | The default value of serial number is the number of seconds since Epoch minus 1200000000. | |
82 | . | |
83 | .if !'po4a'hide' .TP | |
84 | .if !'po4a'hide' .B \-v | |
85 | Display the binary version details using stderr. | |
86 | . | |
87 | .SH KNOWN ISSUES | |
88 | .PP | |
5c2b4745 AJ |
89 | .B SSL errors after changing the CA |
90 | . | |
91 | .PP | |
92 | Certificates are stored in this database in signed form. | |
93 | After any change to the signing CA in squid.conf be sure to erase and re-initialize the certificate database. | |
94 | . | |
95 | .PP | |
96 | .B Certificate chaining | |
97 | . | |
98 | .PP | |
bb2b9f7e AJ |
99 | The version 1.0 of this helper will not add chained intermediate CA certificates. |
100 | The client must have a full chain of trust from the root CA all the way | |
101 | down to the end certificate generated by this program. | |
102 | . | |
103 | Signing with an intermediate CA needs to install both the | |
104 | root and the intermediate public CA on the clients. | |
105 | . | |
106 | .SH CONFIGURATION | |
107 | .PP | |
108 | Before this helper can be used the storage area for new certificates must be initialized manually. | |
109 | This is done from the command line using the | |
110 | .B \-c | |
111 | parameters. | |
112 | . | |
113 | .PP | |
114 | For example: | |
115 | .if !'po4a'hide' .RS | |
116 | .if !'po4a'hide' .B ssl_crtd -c -s /var/lib/ssl_db | |
117 | .if !'po4a'hide' .RE | |
118 | . | |
5c2b4745 AJ |
119 | .PP |
120 | Certificates are stored in this database in signed form. | |
121 | After any change to the signing CA in squid.conf be sure to erase and re-initialize the certificate database. | |
122 | . | |
bb2b9f7e AJ |
123 | .PP |
124 | For simple configuration the helper defaults can be used. | |
125 | Only HTTP listening port options are required to enable generation and set the signign CA certificate. | |
126 | For Example: | |
127 | .if !'po4a'hide' .RS | |
128 | .if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/www.sample.com.pem | |
129 | .if !'po4a'hide' .RE | |
130 | . | |
131 | .PP | |
132 | For more customized configuration the helper certificate storage directory location and size can be altered with the | |
133 | .B sslcrtd_program | |
134 | configuration directive. | |
135 | For example: | |
136 | .if !'po4a'hide' .RS | |
137 | .if !'po4a'hide' .B sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB | |
138 | .if !'po4a'hide' . | |
139 | .if !'po4a'hide' .B sslcrtd_children 5 | |
140 | .if !'po4a'hide' .RE | |
141 | . | |
142 | .SH AUTHOR | |
143 | This program was written by | |
144 | .if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net> | |
145 | .PP | |
146 | This manual was written by | |
147 | .if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net> | |
148 | .if !'po4a'hide' .I Amos Jeffries <squid3@treenet.co.nz> | |
149 | . | |
150 | .SH COPYRIGHT | |
bb2b9f7e | 151 | .PP |
bde978a6 | 152 | * Copyright (C) 1996-2015 The Squid Software Foundation and contributors |
9a1b46cc AJ |
153 | * |
154 | * Squid software is distributed under GPLv2+ license and includes | |
155 | * contributions from numerous individuals and organizations. | |
156 | * Please see the COPYING and CONTRIBUTORS files for details. | |
bb2b9f7e AJ |
157 | . |
158 | .SH QUESTIONS | |
159 | Questions on the usage of this program can be sent to the | |
160 | .I Squid Users mailing list | |
161 | .if !'po4a'hide' <squid-users@squid-cache.org> | |
162 | . | |
163 | .SH REPORTING BUGS | |
164 | Bug reports need to be made in English. | |
165 | See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. | |
166 | .PP | |
167 | Report bugs or bug fixes using http://bugs.squid-cache.org/ | |
168 | .PP | |
169 | Report serious security bugs to | |
170 | .I Squid Bugs <squid-bugs@squid-cache.org> | |
171 | .PP | |
172 | Report ideas for new improvements to the | |
173 | .I Squid Developers mailing list | |
174 | .if !'po4a'hide' <squid-dev@squid-cache.org> | |
175 | . | |
176 | .SH SEE ALSO | |
177 | .if !'po4a'hide' .BR squid "(8), " | |
178 | .if !'po4a'hide' .BR GPL "(7), " | |
179 | .br | |
180 | The Squid FAQ wiki | |
181 | .if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq | |
182 | .br | |
183 | The Squid Configuration Manual | |
184 | .if !'po4a'hide' http://www.squid-cache.org/Doc/config/ |