src/security/cert_generators/file/security_file_certgen.8.in

   1 .if !'po4a'hide' .TH security_file_certgen 8
   2 .
   3 .SH NAME
   4 security_file_certgen \- SSL certificate generator for Squid.
   5 .PP
   6 Version 1.0
   7 .
   8 .SH SYNOPSIS
   9 .if !'po4a'hide' .B security_file_certgen
  10 .if !'po4a'hide' .B [\-dhv]
  11 .br
  12 .if !'po4a'hide' .B security_file_certgen
  13 .if !'po4a'hide' .B "[\-d] \-s "
  14 directory
  15 .if !'po4a'hide' .B "[\-M "
  16 size
  17 .if !'po4a'hide' .B "] [\-b "
  18 fs_block_size
  19 .if !'po4a'hide' .B ]
  20 .br
  21 .if !'po4a'hide' .B security_file_certgen
  22 .if !'po4a'hide' .B "[\-d] \-c \-s "
  23 directory
  24 .
  25 .SH DESCRIPTION
  26 .B security_file_certgen
  27 is an installed binary.
  28 .PP
  29 Because the generation and signing of SSL certificates takes time
  30 Squid must use external process to handle the work.
  31 .
  32 This process generates new SSL certificates and uses a disk cache of certificates
  33 to improve response times on repeated requests.
  34 Communication occurs via TCP sockets bound to the loopback interface.
  35 .
  36 .SH OPTIONS
  37 .if !'po4a'hide' .TP 12
  38 .if !'po4a'hide' .B \-b fs_block_size
  39 File system block size in bytes. Needed for processing natural size of certificate on disk.
  40 Default value is 2048 bytes. The following suffixes are accepted: B, KB, MB, GB.
  41 When no suffix is set, B is assumed.
  42 .
  43 .if !'po4a'hide' .TP
  44 .if !'po4a'hide' .B \-c
  45 Initialize the SSL storage database and exit. Requires the
  46 .B \-s
  47 option to determine the storage location being created.
  48 .
  49 .if !'po4a'hide' .TP
  50 .if !'po4a'hide' .B \-d
  51 Write debug info to stderr.
  52 .
  53 .if !'po4a'hide' .TP
  54 .if !'po4a'hide' .B \-h
  55 Display the binary help and command line syntax info using stderr.
  56 .
  57 .if !'po4a'hide' .TP
  58 .if !'po4a'hide' .B \-s directory
  59 Directory path of SSL storage database.
  60 .
  61 .if !'po4a'hide' .TP
  62 .if !'po4a'hide' .B \-M size
  63 Maximum size of SSL certificate disk storage. Same suffixes supported by the
  64 .B \-b
  65 option can be used.
  66 .
  67 .if !'po4a'hide' .TP
  68 .if !'po4a'hide' .B \-v
  69 Display the binary version details using stderr.
  70 .
  71 .SH KNOWN ISSUES
  72 .PP
  73 .B SSL errors after changing the CA
  74 .
  75 .PP
  76 Certificates are stored in this database in signed form.
  77 After any change to the signing CA in squid.conf be sure to erase and re-initialize the certificate database.
  78 .
  79 .PP
  80 .B Certificate chaining
  81 .
  82 .PP
  83 The version 1.0 of this helper will not add chained intermediate CA certificates.
  84 The client must have a full chain of trust from the root CA all the way
  85 down to the end certificate generated by this program.
  86 .
  87 Signing with an intermediate CA needs to install both the
  88 root and the intermediate public CA on the clients.
  89 .
  90 .SH CONFIGURATION
  91 .PP
  92 Before this helper can be used the storage area for new certificates must be initialized manually.
  93 This is done from the command line using the
  94 .B \-c
  95 parameter.
  96 .
  97 .PP
  98 For example:
  99 .if !'po4a'hide' .RS
 100 .if !'po4a'hide' .B @DEFAULT_SSL_CRTD@ \-c \-s @DEFAULT_SSL_DB_DIR@
 101 .if !'po4a'hide' .RE
 102 .
 103 .PP
 104 Certificates are stored in this database in signed form.
 105 After any change to the signing CA in squid.conf be sure to erase and re-initialize the certificate database.
 106 .
 107 .PP
 108 For simple configuration the helper defaults can be used.
 109 Only HTTP listening port options are required to enable generation and set the signing CA certificate.
 110 For Example:
 111 .if !'po4a'hide' .RS
 112 .if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=@SYSCONFDIR@/ssl_cert/example.com.pem
 113 .if !'po4a'hide' .RE
 114 .
 115 .PP
 116 For more customized configuration the helper certificate storage directory location and size can be altered with the
 117 .B sslcrtd_program
 118 configuration directive.
 119 For example:
 120 .if !'po4a'hide' .RS
 121 .if !'po4a'hide' .B sslcrtd_program @DEFAULT_SSL_CRTD@ \-s @DEFAULT_SSL_DB_DIR@ \-M 4MB
 122 .if !'po4a'hide' .br
 123 .if !'po4a'hide' .B sslcrtd_children 5
 124 .if !'po4a'hide' .RE
 125 .
 126 .SH AUTHOR
 127 This program was written by
 128 .if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net>
 129 .PP
 130 This manual was written by
 131 .if !'po4a'hide' .I Christos Tsantilas <christos@chtsanti.net>
 132 and
 133 .if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org>
 134 .
 135 .SH COPYRIGHT
 136 .PP
 137  * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
 138  *
 139  * Squid software is distributed under GPLv2+ license and includes
 140  * contributions from numerous individuals and organizations.
 141  * Please see the COPYING and CONTRIBUTORS files for details.
 142 .
 143 .SH QUESTIONS
 144 Questions on the usage of this program can be sent to the
 145 .I Squid Users mailing list
 146 .if !'po4a'hide' <squid-users@lists.squid-cache.org>
 147 .
 148 .SH REPORTING BUGS
 149 Bug reports need to be made in English.
 150 See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
 151 .PP
 152 Report bugs or bug fixes using http://bugs.squid-cache.org/
 153 .PP
 154 Report serious security bugs to
 155 .I Squid Bugs <squid-bugs@lists.squid-cache.org>
 156 .PP
 157 Report ideas for new improvements to the
 158 .I Squid Developers mailing list
 159 .if !'po4a'hide' <squid-dev@lists.squid-cache.org>
 160 .
 161 .SH SEE ALSO
 162 .if !'po4a'hide' .BR squid "(8), "
 163 .if !'po4a'hide' .BR GPL "(7), "
 164 .br
 165 The Squid FAQ wiki
 166 .if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
 167 .br
 168 The Squid Configuration Manual
 169 .if !'po4a'hide' http://www.squid-cache.org/Doc/config/