]>
Commit | Line | Data |
---|---|---|
cb0b3d63 | 1 | .if !'po4a'hide' .TH security_file_certgen 8 |
bb2b9f7e AJ |
2 | . |
3 | .SH NAME | |
cb0b3d63 | 4 | security_file_certgen \- SSL certificate generator for Squid. |
bb2b9f7e AJ |
5 | .PP |
6 | Version 1.0 | |
7 | . | |
8 | .SH SYNOPSIS | |
cb0b3d63 | 9 | .if !'po4a'hide' .B security_file_certgen |
bb2b9f7e | 10 | .if !'po4a'hide' .B [\-dhv] |
778bed98 | 11 | .br |
cb0b3d63 | 12 | .if !'po4a'hide' .B security_file_certgen |
778bed98 | 13 | .if !'po4a'hide' .B "[\-d] \-s " |
bb2b9f7e | 14 | directory |
cb0b3d63 | 15 | .if !'po4a'hide' .B "[\-M " |
bb2b9f7e AJ |
16 | size |
17 | .if !'po4a'hide' .B ] | |
778bed98 | 18 | .br |
cb0b3d63 | 19 | .if !'po4a'hide' .B security_file_certgen |
bb2b9f7e AJ |
20 | .if !'po4a'hide' .B "[\-d] \-c \-s " |
21 | directory | |
778bed98 | 22 | .if !'po4a'hide' .B "[\-n " |
bb2b9f7e | 23 | serial number |
778bed98 MM |
24 | .if !'po4a'hide' .B ] |
25 | .br | |
cb0b3d63 | 26 | .if !'po4a'hide' .B security_file_certgen |
bb2b9f7e AJ |
27 | .if !'po4a'hide' .B "[\-d] \-g \-s " |
28 | directory | |
29 | . | |
30 | .SH DESCRIPTION | |
cb0b3d63 | 31 | .B security_file_certgen |
bb2b9f7e AJ |
32 | is an installed binary. |
33 | .PP | |
34 | Because the generation and signing of SSL certificates takes time | |
35 | Squid must use external process to handle the work. | |
36 | . | |
37 | This process generates new SSL certificates and uses a disk cache of certificatess | |
38 | to improve response times on repeated requests. | |
39 | Communication occurs via TCP sockets bound to the loopback interface. | |
40 | . | |
41 | .SH OPTIONS | |
42 | .if !'po4a'hide' .TP 12 | |
43 | .if !'po4a'hide' .B \-b fs_block_size | |
44 | File system block size in bytes. Needed for processing natural size of certificate on disk. | |
45 | Default value is 2048 bytes. | |
46 | . | |
47 | .if !'po4a'hide' .TP | |
48 | .if !'po4a'hide' .B \-c | |
49 | Initialize the SSL storage database and exit. | |
50 | Requires the | |
51 | .B -s | |
52 | option to determine the storage location being created. | |
53 | . | |
54 | .if !'po4a'hide' .TP | |
55 | .if !'po4a'hide' .B \-d | |
56 | Write debug info to stderr. | |
57 | . | |
58 | .if !'po4a'hide' .TP | |
59 | .if !'po4a'hide' .B \-g | |
60 | Display the current serial number using stderr and exit. | |
61 | Requires | |
62 | .B \-s | |
63 | option to determine which storage directory the serial is located in. | |
64 | . | |
65 | .if !'po4a'hide' .TP | |
66 | .if !'po4a'hide' .B \-h | |
67 | Display the binary help and command line syntax info using stderr. | |
68 | . | |
69 | .if !'po4a'hide' .TP | |
70 | .if !'po4a'hide' .B \-s directory | |
71 | Directory path of disk storage for new SSL certificates. | |
72 | . | |
73 | .if !'po4a'hide' .TP | |
74 | .if !'po4a'hide' .B \-M size | |
75 | Maximum size of SSL certificate disk storage. | |
76 | . | |
77 | .if !'po4a'hide' .TP | |
78 | .if !'po4a'hide' .B \-n serial number | |
79 | HEX | |
80 | .B "serial number " | |
81 | to use when initializing an SSL storage database. | |
82 | The default value of serial number is the number of seconds since Epoch minus 1200000000. | |
83 | . | |
84 | .if !'po4a'hide' .TP | |
85 | .if !'po4a'hide' .B \-v | |
86 | Display the binary version details using stderr. | |
87 | . | |
88 | .SH KNOWN ISSUES | |
89 | .PP | |
5c2b4745 AJ |
90 | .B SSL errors after changing the CA |
91 | . | |
92 | .PP | |
93 | Certificates are stored in this database in signed form. | |
94 | After any change to the signing CA in squid.conf be sure to erase and re-initialize the certificate database. | |
95 | . | |
96 | .PP | |
97 | .B Certificate chaining | |
98 | . | |
99 | .PP | |
bb2b9f7e AJ |
100 | The version 1.0 of this helper will not add chained intermediate CA certificates. |
101 | The client must have a full chain of trust from the root CA all the way | |
102 | down to the end certificate generated by this program. | |
103 | . | |
104 | Signing with an intermediate CA needs to install both the | |
105 | root and the intermediate public CA on the clients. | |
106 | . | |
107 | .SH CONFIGURATION | |
108 | .PP | |
109 | Before this helper can be used the storage area for new certificates must be initialized manually. | |
110 | This is done from the command line using the | |
111 | .B \-c | |
112 | parameters. | |
113 | . | |
114 | .PP | |
115 | For example: | |
116 | .if !'po4a'hide' .RS | |
ad0a76b5 | 117 | .if !'po4a'hide' .B @DEFAULT_SSL_CRTD@ -c -s @DEFAULT_SSL_DB_DIR@ |
bb2b9f7e AJ |
118 | .if !'po4a'hide' .RE |
119 | . | |
5c2b4745 AJ |
120 | .PP |
121 | Certificates are stored in this database in signed form. | |
122 | After any change to the signing CA in squid.conf be sure to erase and re-initialize the certificate database. | |
123 | . | |
bb2b9f7e AJ |
124 | .PP |
125 | For simple configuration the helper defaults can be used. | |
126 | Only HTTP listening port options are required to enable generation and set the signign CA certificate. | |
127 | For Example: | |
128 | .if !'po4a'hide' .RS | |
ad0a76b5 | 129 | .if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=@SYSCONFDIR@/ssl_cert/example.com.pem |
bb2b9f7e AJ |
130 | .if !'po4a'hide' .RE |
131 | . | |
132 | .PP | |
133 | For more customized configuration the helper certificate storage directory location and size can be altered with the | |
134 | .B sslcrtd_program | |
135 | configuration directive. | |
136 | For example: | |
137 | .if !'po4a'hide' .RS | |
778bed98 MM |
138 | .if !'po4a'hide' .B sslcrtd_program @DEFAULT_SSL_CRTD@ -s @DEFAULT_SSL_DB_DIR@ -M 4MB |
139 | .if !'po4a'hide' .br | |
bb2b9f7e AJ |
140 | .if !'po4a'hide' .B sslcrtd_children 5 |
141 | .if !'po4a'hide' .RE | |
142 | . | |
143 | .SH AUTHOR | |
144 | This program was written by | |
145 | .if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net> | |
146 | .PP | |
147 | This manual was written by | |
148 | .if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net> | |
149 | .if !'po4a'hide' .I Amos Jeffries <squid3@treenet.co.nz> | |
150 | . | |
151 | .SH COPYRIGHT | |
bb2b9f7e | 152 | .PP |
4ac4a490 | 153 | * Copyright (C) 1996-2017 The Squid Software Foundation and contributors |
9a1b46cc AJ |
154 | * |
155 | * Squid software is distributed under GPLv2+ license and includes | |
156 | * contributions from numerous individuals and organizations. | |
157 | * Please see the COPYING and CONTRIBUTORS files for details. | |
bb2b9f7e AJ |
158 | . |
159 | .SH QUESTIONS | |
160 | Questions on the usage of this program can be sent to the | |
161 | .I Squid Users mailing list | |
162 | .if !'po4a'hide' <squid-users@squid-cache.org> | |
163 | . | |
164 | .SH REPORTING BUGS | |
165 | Bug reports need to be made in English. | |
166 | See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. | |
167 | .PP | |
168 | Report bugs or bug fixes using http://bugs.squid-cache.org/ | |
169 | .PP | |
170 | Report serious security bugs to | |
171 | .I Squid Bugs <squid-bugs@squid-cache.org> | |
172 | .PP | |
173 | Report ideas for new improvements to the | |
174 | .I Squid Developers mailing list | |
175 | .if !'po4a'hide' <squid-dev@squid-cache.org> | |
176 | . | |
177 | .SH SEE ALSO | |
178 | .if !'po4a'hide' .BR squid "(8), " | |
179 | .if !'po4a'hide' .BR GPL "(7), " | |
180 | .br | |
181 | The Squid FAQ wiki | |
182 | .if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq | |
183 | .br | |
184 | The Squid Configuration Manual | |
185 | .if !'po4a'hide' http://www.squid-cache.org/Doc/config/ |