1ssl_crtd(8)                 System Manager's Manual                ssl_crtd(8)
2
3
4

NAME

6       ssl_crtd - SSL certificate generator for Squid.
7
8       Version 1.0
9

SYNOPSIS

11       ssl_crtd  [-dhv] ssl_crtd [-d] -s directory [-M size ] ssl_crtd [-d] -c
12       -s directory [-n] serial number ssl_crtd [-d] -g -s directory
13

DESCRIPTION

15       ssl_crtd is an installed binary.
16
17       Because the generation and signing of SSL certificates takes time Squid
18       must  use  external process to handle the work.  This process generates
19       new SSL certificates and uses a disk cache of certificates  to  improve
20       response  times  on  repeated  requests.   Communication occurs via TCP
21       sockets bound to the loopback interface.
22

OPTIONS

24       -b fs_block_size
25                   File system block size in bytes. Needed for processing nat‐
26                   ural  size  of  certificate on disk.  Default value is 2048
27                   bytes.
28
29       -c          Initialize the SSL storage database and exit.  Requires the
30                   -s option to determine the storage location being created.
31
32       -d          Write debug info to stderr.
33
34       -g          Display  the  current  serial number using stderr and exit.
35                   Requires -s option to determine which storage directory the
36                   serial is located in.
37
38       -h          Display  the binary help and command line syntax info using
39                   stderr.
40
41       -s directory
42                   Directory path of disk storage for new SSL certificates.
43
44       -M size     Maximum size of SSL certificate disk storage.
45
46       -n serial number
47                   HEX serial number to use when initializing an  SSL  storage
48                   database.  The default value of serial number is the number
49                   of seconds since Epoch minus 1200000000.
50
51       -v          Display the binary version details using stderr.
52

KNOWN ISSUES

54       SSL errors after changing the CA
55
56       Certificates are stored in this database in  signed  form.   After  any
57       change to the signing CA in squid.conf be sure to erase and re-initial‐
58       ize the certificate database.
59
60       Certificate chaining
61
62       The version 1.0 of this helper will not  add  chained  intermediate  CA
63       certificates.  The client must have a full chain of trust from the root
64       CA all the way down to the end certificate generated by  this  program.
65       Signing  with an intermediate CA needs to install both the root and the
66       intermediate public CA on the clients.
67

CONFIGURATION

69       Before this helper can be used the storage area  for  new  certificates
70       must be initialized manually.  This is done from the command line using
71       the -c parameters.
72
73       For example:
74              ssl_crtd -c -s /var/lib/ssl_db
75
76       Certificates are stored in this database in  signed  form.   After  any
77       change to the signing CA in squid.conf be sure to erase and re-initial‐
78       ize the certificate database.
79
80       For simple configuration the helper defaults can be  used.   Only  HTTP
81       listening  port  options  are required to enable generation and set the
82       signing CA certificate.  For Example:
83              http_port    3128     ssl-bump     generate-host-certificates=on
84              dynamic_cert_mem_cache_size=4MB
85              cert=/usr/local/squid/ssl_cert/www.sample.com.pem
86
87       For more customized configuration the helper certificate storage direc‐
88       tory location and size can be altered with the sslcrtd_program configu‐
89       ration directive.  For example:
90              sslcrtd_program       /usr/local/squid/libexec/ssl_crtd       -s
91              /usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 5
92

AUTHOR

94       This program was written by Christos Tsantilas <christos@chtsanti.net>
95
96       This  manual  was written by Christos Tsantilas <christos@chtsanti.net>
97       Amos Jeffries <squid3@treenet.co.nz>
98

COPYRIGHT

100        * Copyright (C) 1996-2016 The Squid Software Foundation and  contribu‐
101       tors
102        *
103        * Squid software is distributed under GPLv2+ license and includes
104        * contributions from numerous individuals and organizations.
105        * Please see the COPYING and CONTRIBUTORS files for details.
106

QUESTIONS

108       Questions  on  the usage of this program can be sent to the Squid Users
109       mailing list <squid-users@squid-cache.org>
110

REPORTING BUGS

112       Bug reports  need  to  be  made  in  English.   See  http://wiki.squid-
113       cache.org/SquidFaq/BugReporting for details of what you need to include
114       with your bug report.
115
116       Report bugs or bug fixes using http://bugs.squid-cache.org/
117
118       Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>
119
120       Report ideas for new improvements to the Squid Developers mailing  list
121       <squid-dev@squid-cache.org>
122

SEE ALSO

124       squid(8), GPL(7),
125       The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
126       The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
127
128
129
130                                                                   ssl_crtd(8)