[thirdparty/squid.git] / src / security / cert_generators / file / security_file_certgen.8.in

.if !'po4a'hide' .TH security_file_certgen 8
.
.SH NAME
security_file_certgen \- SSL certificate generator for Squid.
.PP
Version 1.0
.
.SH SYNOPSIS
.if !'po4a'hide' .B security_file_certgen
.if !'po4a'hide' .B [\-dhv]
.br
.if !'po4a'hide' .B security_file_certgen
.if !'po4a'hide' .B "[\-d] \-s "
directory
.if !'po4a'hide' .B "[\-M "
size
.if !'po4a'hide' .B ]
.br
.if !'po4a'hide' .B security_file_certgen
.if !'po4a'hide' .B "[\-d] \-c \-s "
directory
.if !'po4a'hide' .B "[\-n "
serial number
.if !'po4a'hide' .B ]
.br
.if !'po4a'hide' .B security_file_certgen
.if !'po4a'hide' .B "[\-d] \-g \-s "
directory
.
.SH DESCRIPTION
.B security_file_certgen
is an installed binary.
.PP
Because the generation and signing of SSL certificates takes time
Squid must use external process to handle the work.
.
This process generates new SSL certificates and uses a disk cache of certificatess
to improve response times on repeated requests.
Communication occurs via TCP sockets bound to the loopback interface.
.
.SH OPTIONS
.if !'po4a'hide' .TP 12
.if !'po4a'hide' .B \-b fs_block_size
File system block size in bytes. Needed for processing natural size of certificate on disk.
Default value is 2048 bytes.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-c
Initialize the SSL storage database and exit.
Requires the 
.B -s 
option to determine the storage location being created.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-d
Write debug info to stderr.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-g
Display the current serial number using stderr and exit.
Requires 
.B \-s 
option to determine which storage directory the serial is located in.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-h
Display the binary help and command line syntax info using stderr.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-s directory
Directory path of disk storage for new SSL certificates.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-M size
Maximum size of SSL certificate disk storage.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-n serial number
HEX 
.B "serial number "
to use when initializing an SSL storage database.
The default value of serial number is the number of seconds since Epoch minus 1200000000.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-v
Display the binary version details using stderr.
.
.SH KNOWN ISSUES
.PP
.B SSL errors after changing the CA
.
.PP
Certificates are stored in this database in signed form.
After any change to the signing CA in squid.conf be sure to erase and re-initialize the certificate database.
.
.PP
.B Certificate chaining
.
.PP
The version 1.0 of this helper will not add chained intermediate CA certificates.
The client must have a full chain of trust from the root CA all the way
down to the end certificate generated by this program.
.
Signing with an intermediate CA needs to install both the
root and the intermediate public CA on the clients.
.
.SH CONFIGURATION
.PP
Before this helper can be used the storage area for new certificates must be initialized manually.
This is done from the command line using the 
.B \-c 
parameters.
.
.PP
For example:
.if !'po4a'hide' .RS
.if !'po4a'hide' .B @DEFAULT_SSL_CRTD@ -c -s @DEFAULT_SSL_DB_DIR@
.if !'po4a'hide' .RE
.
.PP
Certificates are stored in this database in signed form.
After any change to the signing CA in squid.conf be sure to erase and re-initialize the certificate database.
.
.PP
For simple configuration the helper defaults can be used.
Only HTTP listening port options are required to enable generation and set the signign CA certificate.
For Example:
.if !'po4a'hide' .RS
.if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=@SYSCONFDIR@/ssl_cert/example.com.pem
.if !'po4a'hide' .RE
.
.PP
For more customized configuration the helper certificate storage directory location and size can be altered with the
.B sslcrtd_program 
configuration directive.
For example:
.if !'po4a'hide' .RS
.if !'po4a'hide' .B sslcrtd_program @DEFAULT_SSL_CRTD@ -s @DEFAULT_SSL_DB_DIR@ -M 4MB
.if !'po4a'hide' .br
.if !'po4a'hide' .B sslcrtd_children 5
.if !'po4a'hide' .RE
.
.SH AUTHOR
This program was written by
.if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net>
.PP
This manual was written by
.if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net>
.if !'po4a'hide' .I Amos Jeffries <squid3@treenet.co.nz>
.
.SH COPYRIGHT
.PP
 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
.
.SH QUESTIONS
Questions on the usage of this program can be sent to the
.I Squid Users mailing list
.if !'po4a'hide' <squid-users@squid-cache.org>
.
.SH REPORTING BUGS
Bug reports need to be made in English.
See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
.PP
Report bugs or bug fixes using http://bugs.squid-cache.org/
.PP
Report serious security bugs to
.I Squid Bugs <squid-bugs@squid-cache.org>
.PP
Report ideas for new improvements to the
.I Squid Developers mailing list
.if !'po4a'hide' <squid-dev@squid-cache.org>
.
.SH SEE ALSO
.if !'po4a'hide' .BR squid "(8), "
.if !'po4a'hide' .BR GPL "(7), "
.br
The Squid FAQ wiki
.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
.br
The Squid Configuration Manual
.if !'po4a'hide' http://www.squid-cache.org/Doc/config/
Commit	Line	Data
cb0b3d63	1	.if !'po4a'hide' .TH security_file_certgen 8
bb2b9f7e AJ	2	.
bb2b9f7e AJ	3	.SH NAME
cb0b3d63	4	security_file_certgen \- SSL certificate generator for Squid.
bb2b9f7e AJ	5	.PP
	6	Version 1.0
	7	.
	8	.SH SYNOPSIS
cb0b3d63	9	.if !'po4a'hide' .B security_file_certgen
bb2b9f7e	10	.if !'po4a'hide' .B [\-dhv]
778bed98	11	.br
cb0b3d63	12	.if !'po4a'hide' .B security_file_certgen
778bed98	13	.if !'po4a'hide' .B "[\-d] \-s "
bb2b9f7e	14	directory
cb0b3d63	15	.if !'po4a'hide' .B "[\-M "
bb2b9f7e AJ	16	size
bb2b9f7e AJ	17	.if !'po4a'hide' .B ]
778bed98	18	.br
cb0b3d63	19	.if !'po4a'hide' .B security_file_certgen
bb2b9f7e AJ	20	.if !'po4a'hide' .B "[\-d] \-c \-s "
bb2b9f7e AJ	21	directory
778bed98	22	.if !'po4a'hide' .B "[\-n "
bb2b9f7e	23	serial number
778bed98 MM	24	.if !'po4a'hide' .B ]
778bed98 MM	25	.br
cb0b3d63	26	.if !'po4a'hide' .B security_file_certgen
bb2b9f7e AJ	27	.if !'po4a'hide' .B "[\-d] \-g \-s "
	28	directory
	29	.
	30	.SH DESCRIPTION
cb0b3d63	31	.B security_file_certgen
bb2b9f7e AJ	32	is an installed binary.
	33	.PP
	34	Because the generation and signing of SSL certificates takes time
	35	Squid must use external process to handle the work.
	36	.
	37	This process generates new SSL certificates and uses a disk cache of certificatess
	38	to improve response times on repeated requests.
	39	Communication occurs via TCP sockets bound to the loopback interface.
	40	.
	41	.SH OPTIONS
	42	.if !'po4a'hide' .TP 12
	43	.if !'po4a'hide' .B \-b fs_block_size
	44	File system block size in bytes. Needed for processing natural size of certificate on disk.
	45	Default value is 2048 bytes.
	46	.
	47	.if !'po4a'hide' .TP
	48	.if !'po4a'hide' .B \-c
	49	Initialize the SSL storage database and exit.
	50	Requires the
	51	.B -s
	52	option to determine the storage location being created.
	53	.
	54	.if !'po4a'hide' .TP
	55	.if !'po4a'hide' .B \-d
	56	Write debug info to stderr.
	57	.
	58	.if !'po4a'hide' .TP
	59	.if !'po4a'hide' .B \-g
	60	Display the current serial number using stderr and exit.
	61	Requires
	62	.B \-s
	63	option to determine which storage directory the serial is located in.
	64	.
	65	.if !'po4a'hide' .TP
	66	.if !'po4a'hide' .B \-h
	67	Display the binary help and command line syntax info using stderr.
	68	.
	69	.if !'po4a'hide' .TP
	70	.if !'po4a'hide' .B \-s directory
	71	Directory path of disk storage for new SSL certificates.
	72	.
	73	.if !'po4a'hide' .TP
	74	.if !'po4a'hide' .B \-M size
	75	Maximum size of SSL certificate disk storage.
	76	.
	77	.if !'po4a'hide' .TP
	78	.if !'po4a'hide' .B \-n serial number
	79	HEX
	80	.B "serial number "
	81	to use when initializing an SSL storage database.
	82	The default value of serial number is the number of seconds since Epoch minus 1200000000.
	83	.
	84	.if !'po4a'hide' .TP
	85	.if !'po4a'hide' .B \-v
	86	Display the binary version details using stderr.
	87	.
	88	.SH KNOWN ISSUES
	89	.PP
5c2b4745 AJ	90	.B SSL errors after changing the CA
	91	.
	92	.PP
	93	Certificates are stored in this database in signed form.
	94	After any change to the signing CA in squid.conf be sure to erase and re-initialize the certificate database.
	95	.
	96	.PP
	97	.B Certificate chaining
	98	.
	99	.PP
bb2b9f7e AJ	100	The version 1.0 of this helper will not add chained intermediate CA certificates.
	101	The client must have a full chain of trust from the root CA all the way
	102	down to the end certificate generated by this program.
	103	.
	104	Signing with an intermediate CA needs to install both the
	105	root and the intermediate public CA on the clients.
	106	.
	107	.SH CONFIGURATION
	108	.PP
	109	Before this helper can be used the storage area for new certificates must be initialized manually.
	110	This is done from the command line using the
	111	.B \-c
	112	parameters.
	113	.
	114	.PP
	115	For example:
	116	.if !'po4a'hide' .RS
ad0a76b5	117	.if !'po4a'hide' .B @DEFAULT_SSL_CRTD@ -c -s @DEFAULT_SSL_DB_DIR@
bb2b9f7e AJ	118	.if !'po4a'hide' .RE
bb2b9f7e AJ	119	.
5c2b4745 AJ	120	.PP
	121	Certificates are stored in this database in signed form.
	122	After any change to the signing CA in squid.conf be sure to erase and re-initialize the certificate database.
	123	.
bb2b9f7e AJ	124	.PP
	125	For simple configuration the helper defaults can be used.
	126	Only HTTP listening port options are required to enable generation and set the signign CA certificate.
	127	For Example:
	128	.if !'po4a'hide' .RS
ad0a76b5	129	.if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=@SYSCONFDIR@/ssl_cert/example.com.pem
bb2b9f7e AJ	130	.if !'po4a'hide' .RE
	131	.
	132	.PP
	133	For more customized configuration the helper certificate storage directory location and size can be altered with the
	134	.B sslcrtd_program
	135	configuration directive.
	136	For example:
	137	.if !'po4a'hide' .RS
778bed98 MM	138	.if !'po4a'hide' .B sslcrtd_program @DEFAULT_SSL_CRTD@ -s @DEFAULT_SSL_DB_DIR@ -M 4MB
778bed98 MM	139	.if !'po4a'hide' .br
bb2b9f7e AJ	140	.if !'po4a'hide' .B sslcrtd_children 5
	141	.if !'po4a'hide' .RE
	142	.
	143	.SH AUTHOR
	144	This program was written by
	145	.if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net>
	146	.PP
	147	This manual was written by
	148	.if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net>
	149	.if !'po4a'hide' .I Amos Jeffries <squid3@treenet.co.nz>
	150	.
	151	.SH COPYRIGHT
bb2b9f7e	152	.PP
4ac4a490	153	* Copyright (C) 1996-2017 The Squid Software Foundation and contributors
9a1b46cc AJ	154	*
	155	* Squid software is distributed under GPLv2+ license and includes
	156	* contributions from numerous individuals and organizations.
	157	* Please see the COPYING and CONTRIBUTORS files for details.
bb2b9f7e AJ	158	.
	159	.SH QUESTIONS
	160	Questions on the usage of this program can be sent to the
	161	.I Squid Users mailing list
	162	.if !'po4a'hide' <squid-users@squid-cache.org>
	163	.
	164	.SH REPORTING BUGS
	165	Bug reports need to be made in English.
	166	See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
	167	.PP
	168	Report bugs or bug fixes using http://bugs.squid-cache.org/
	169	.PP
	170	Report serious security bugs to
	171	.I Squid Bugs <squid-bugs@squid-cache.org>
	172	.PP
	173	Report ideas for new improvements to the
	174	.I Squid Developers mailing list
	175	.if !'po4a'hide' <squid-dev@squid-cache.org>
	176	.
	177	.SH SEE ALSO
	178	.if !'po4a'hide' .BR squid "(8), "
	179	.if !'po4a'hide' .BR GPL "(7), "
	180	.br
	181	The Squid FAQ wiki
	182	.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
	183	.br
	184	The Squid Configuration Manual
	185	.if !'po4a'hide' http://www.squid-cache.org/Doc/config/