1 .if !'po4a'hide' .TH security_file_certgen 8
4 security_file_certgen \- SSL certificate generator for Squid.
9 .if !'po4a'hide' .B security_file_certgen
10 .if !'po4a'hide' .B "[\-cdhv] [\-s "
12 .if !'po4a'hide' .B "\-M "
14 .if !'po4a'hide' .B "] [\-b "
19 .B security_file_certgen
20 is an installed binary.
22 Because the generation and signing of SSL certificates takes time
23 Squid can use this helper as an external process to handle the work.
25 Communication occurs via TCP sockets bound to the loopback interface.
27 This helper can use a disk cache of certificates to improve response
28 times on repeated requests. It can also operate without a cache,
29 generating new certificates on every request.
32 .if !'po4a'hide' .TP 12
33 .if !'po4a'hide' .B \-b fs_block_size
34 File system block size in bytes. Needed for processing natural size of certificate on disk.
35 Default value is 2048 bytes.
36 The following suffixes are accepted:
38 When no suffix is set,
43 .if !'po4a'hide' .B \-c
44 Initialize the SSL storage database and exit. Requires the
48 options to determine the storage location and size being created.
51 .if !'po4a'hide' .B \-d
52 Write debug info to stderr.
55 .if !'po4a'hide' .B \-h
56 Display the binary help and command line syntax info using stderr.
59 .if !'po4a'hide' .B \-s directory
60 Directory path of SSL storage database. Requires the
65 .if !'po4a'hide' .B \-M size
66 Maximum size of SSL certificate disk storage. Same suffixes supported by the
71 .if !'po4a'hide' .B \-v
72 Display the binary version details using stderr.
76 .B SSL errors after changing the CA
79 Certificates are stored in this database in signed form.
80 After any change to the signing CA in squid.conf be sure to erase and reinitialize the certificate database.
83 .B Certificate chaining
86 The versions 1.0 to 1.1 of this helper will not add chained intermediate CA certificates.
87 The client must have a full chain of trust from the root CA all the way
88 down to the end certificate generated by this program.
90 Signing with an intermediate CA needs to install both the
91 root and the intermediate public CA on the clients.
95 Before this helper can be used with disk storage, the storage area for new certificates must be initialized manually.
96 This is done from the command line using the
103 .if !'po4a'hide' .B @DEFAULT_SSL_CRTD@ \-c \-s @DEFAULT_SSL_DB_DIR@ \-M 4MB
107 Certificates are stored in this database in signed form.
108 After any change to the signing CA in squid.conf be sure to erase and re-initialize the certificate database.
111 For simple configuration the helper defaults can be used.
112 Only HTTP listening port options are required to enable generation and set the signing CA certificate.
117 .if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=@SYSCONFDIR@/ssl_cert/example.com.pem
121 For more customized configuration, the helper certificate storage directory location and size can be altered with the
123 configuration directive. The number of helper processes running can be configured with the
126 configuration directive.
131 .if !'po4a'hide' .B sslcrtd_program @DEFAULT_SSL_CRTD@ \-s @DEFAULT_SSL_DB_DIR@ \-M 4MB
133 .if !'po4a'hide' .B sslcrtd_children 5
137 To operate without disk storage, the helper should be configured explicitly without the
146 .if !'po4a'hide' .B sslcrtd_program @DEFAULT_SSL_CRTD@
150 This program was written by
151 .if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net>
153 This manual was written by
154 .if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net>
156 .if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org>
160 * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
162 * Squid software is distributed under GPLv2+ license and includes
163 * contributions from numerous individuals and organizations.
164 * Please see the COPYING and CONTRIBUTORS files for details.
167 Questions on the usage of this program can be sent to the
168 .I Squid Users mailing list
169 .if !'po4a'hide' <squid-users@lists.squid-cache.org>
172 Bug reports need to be made in English.
173 See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
175 Report bugs or bug fixes using http://bugs.squid-cache.org/
177 Report serious security bugs to
178 .I Squid Bugs <squid-bugs@lists.squid-cache.org>
180 Report ideas for new improvements to the
181 .I Squid Developers mailing list
182 .if !'po4a'hide' <squid-dev@lists.squid-cache.org>
185 .if !'po4a'hide' .BR squid "(8), "
186 .if !'po4a'hide' .BR GPL "(7), "
189 .if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
191 The Squid Configuration Manual
192 .if !'po4a'hide' http://www.squid-cache.org/Doc/config/