1security_file_certgen(8)    System Manager's Manual   security_file_certgen(8)
2
3
4

NAME

6       security_file_certgen - SSL certificate generator for Squid.
7
8       Version 1.1
9

SYNOPSIS

11       security_file_certgen [-cdhv] [-s directory -M size ] [-b fs_block_size
12       ]
13

DESCRIPTION

15       security_file_certgen is an installed binary.
16
17       Because the generation and signing of SSL certificates takes time Squid
18       can  use this helper as an external process to handle the work.  Commu‐
19       nication occurs via TCP sockets bound to the loopback interface.   This
20       helper  can  use a disk cache of certificates to improve response times
21       on repeated requests. It can also operate without a  cache,  generating
22       new certificates on every request.
23

OPTIONS

25       -b fs_block_size
26                   File system block size in bytes. Needed for processing nat‐
27                   ural size of certificate on disk.  Default  value  is  2048
28                   bytes.  The following suffixes are accepted: B, KB, MB, GB.
29                   When no suffix is set, B is assumed.
30
31       -c          Initialize the SSL storage database and exit. Requires  the
32                   -s  and  -M  options  to determine the storage location and
33                   size being created.
34
35       -d          Write debug info to stderr.
36
37       -h          Display the binary help and command line syntax info  using
38                   stderr.
39
40       -s directory
41                   Directory path of SSL storage database. Requires the -M op‐
42                   tion.
43
44       -M size     Maximum size of SSL certificate disk storage. Same suffixes
45                   supported by the -b option can be used.
46
47       -v          Display the binary version details using stderr.
48

KNOWN ISSUES

50       SSL errors after changing the CA
51
52       Certificates  are  stored  in  this database in signed form.  After any
53       change to the signing CA in squid.conf be sure to erase and  reinitial‐
54       ize the certificate database.
55
56       Certificate chaining
57
58       The  versions 1.0 to 1.1 of this helper will not add chained intermedi‐
59       ate CA certificates.  The client must have a full chain of  trust  from
60       the  root  CA all the way down to the end certificate generated by this
61       program.  Signing with an intermediate CA needs  to  install  both  the
62       root and the intermediate public CA on the clients.
63

CONFIGURATION

65       Before  this helper can be used with disk storage, the storage area for
66       new certificates must be initialized manually.  This is done  from  the
67       command line using the -c parameter.
68
69       For example:
70              /usr/lib64/squid/security_file_certgen           -c           -s
71              /var/spool/squid/ssl_db -M 4MB
72
73       Certificates are stored in this database in  signed  form.   After  any
74       change to the signing CA in squid.conf be sure to erase and re-initial‐
75       ize the certificate database.
76
77       For simple configuration the helper defaults can be  used.   Only  HTTP
78       listening  port  options  are required to enable generation and set the
79       signing CA certificate.
80
81       For example:
82              http_port  3128   ssl-bump   generate-host-certificates=on   dy‐
83              namic_cert_mem_cache_size=4MB     cert=/etc/squid/ssl_cert/exam‐
84              ple.com.pem
85
86       For more customized configuration, the helper certificate  storage  di‐
87       rectory  location and size can be altered with the sslcrtd_program con‐
88       figuration directive. The number of helper  processes  running  can  be
89       configured with the and ssl_crtd_children configuration directive.
90
91       For example:
92              sslcrtd_program     /usr/lib64/squid/security_file_certgen    -s
93              /var/spool/squid/ssl_db -M 4MB
94              sslcrtd_children 5
95
96       To operate without disk storage, the helper should  be  configured  ex‐
97       plicitly without the -s and -M parameters.
98
99       For example:
100              sslcrtd_program /usr/lib64/squid/security_file_certgen
101

AUTHOR

103       This program was written by Christos Tsantilas <christos@chtsanti.net>
104
105       This  manual  was written by Christos Tsantilas <christos@chtsanti.net>
106       and Amos Jeffries <amosjeffries@squid-cache.org>
107

COPYRIGHT

109        * Copyright (C) 1996-2022 The Squid Software Foundation and  contribu‐
110       tors
111        *
112        * Squid software is distributed under GPLv2+ license and includes
113        * contributions from numerous individuals and organizations.
114        * Please see the COPYING and CONTRIBUTORS files for details.
115

QUESTIONS

117       Questions  on  the usage of this program can be sent to the Squid Users
118       mailing list <squid-users@lists.squid-cache.org>
119

REPORTING BUGS

121       Bug reports  need  to  be  made  in  English.   See  http://wiki.squid-
122       cache.org/SquidFaq/BugReporting for details of what you need to include
123       with your bug report.
124
125       Report bugs or bug fixes using http://bugs.squid-cache.org/
126
127       Report serious security bugs  to  Squid  Bugs  <squid-bugs@lists.squid-
128       cache.org>
129
130       Report  ideas for new improvements to the Squid Developers mailing list
131       <squid-dev@lists.squid-cache.org>
132

SEE ALSO

134       squid(8), GPL(7),
135       The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
136       The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
137
138
139
140                                                      security_file_certgen(8)