1security_file_certgen(8) System Manager's Manual security_file_certgen(8)
2
3
4
6 security_file_certgen - SSL certificate generator for Squid.
7
8 Version 1.1
9
11 security_file_certgen [-cdhv] [-s directory -M size ] [-b fs_block_size
12 ]
13
15 security_file_certgen is an installed binary.
16
17 Because the generation and signing of SSL certificates takes time Squid
18 can use this helper as an external process to handle the work. Commu‐
19 nication occurs via TCP sockets bound to the loopback interface. This
20 helper can use a disk cache of certificates to improve response times
21 on repeated requests. It can also operate without a cache, generating
22 new certificates on every request.
23
25 -b fs_block_size
26 File system block size in bytes. Needed for processing nat‐
27 ural size of certificate on disk. Default value is 2048
28 bytes. The following suffixes are accepted: B, KB, MB, GB.
29 When no suffix is set, B is assumed.
30
31 -c Initialize the SSL storage database and exit. Requires the
32 -s and -M options to determine the storage location and
33 size being created.
34
35 -d Write debug info to stderr.
36
37 -h Display the binary help and command line syntax info using
38 stderr.
39
40 -s directory
41 Directory path of SSL storage database. Requires the -M op‐
42 tion.
43
44 -M size Maximum size of SSL certificate disk storage. Same suffixes
45 supported by the -b option can be used.
46
47 -v Display the binary version details using stderr.
48
50 SSL errors after changing the CA
51
52 Certificates are stored in this database in signed form. After any
53 change to the signing CA in squid.conf be sure to erase and reinitial‐
54 ize the certificate database.
55
56 Certificate chaining
57
58 The versions 1.0 to 1.1 of this helper will not add chained intermedi‐
59 ate CA certificates. The client must have a full chain of trust from
60 the root CA all the way down to the end certificate generated by this
61 program. Signing with an intermediate CA needs to install both the
62 root and the intermediate public CA on the clients.
63
65 Before this helper can be used with disk storage, the storage area for
66 new certificates must be initialized manually. This is done from the
67 command line using the -c parameter.
68
69 For example:
70 /usr/lib64/squid/security_file_certgen -c -s
71 /var/spool/squid/ssl_db -M 4MB
72
73 Certificates are stored in this database in signed form. After any
74 change to the signing CA in squid.conf be sure to erase and re-initial‐
75 ize the certificate database.
76
77 For simple configuration the helper defaults can be used. Only HTTP
78 listening port options are required to enable generation and set the
79 signing CA certificate.
80
81 For example:
82 http_port 3128 ssl-bump generate-host-certificates=on dy‐
83 namic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/exam‐
84 ple.com.pem
85
86 For more customized configuration, the helper certificate storage di‐
87 rectory location and size can be altered with the sslcrtd_program con‐
88 figuration directive. The number of helper processes running can be
89 configured with the and ssl_crtd_children configuration directive.
90
91 For example:
92 sslcrtd_program /usr/lib64/squid/security_file_certgen -s
93 /var/spool/squid/ssl_db -M 4MB
94 sslcrtd_children 5
95
96 To operate without disk storage, the helper should be configured ex‐
97 plicitly without the -s and -M parameters.
98
99 For example:
100 sslcrtd_program /usr/lib64/squid/security_file_certgen
101
103 This program was written by Christos Tsantilas <christos@chtsanti.net>
104
105 This manual was written by Christos Tsantilas <christos@chtsanti.net>
106 and Amos Jeffries <amosjeffries@squid-cache.org>
107
109 * Copyright (C) 1996-2023 The Squid Software Foundation and contribu‐
110 tors
111 *
112 * Squid software is distributed under GPLv2+ license and includes
113 * contributions from numerous individuals and organizations.
114 * Please see the COPYING and CONTRIBUTORS files for details.
115
117 Questions on the usage of this program can be sent to the Squid Users
118 mailing list <squid-users@lists.squid-cache.org>
119
121 Bug reports need to be made in English. See https://wiki.squid-
122 cache.org/SquidFaq/BugReporting for details of what you need to include
123 with your bug report.
124
125 Report bugs or bug fixes using https://bugs.squid-cache.org/
126
127 Report serious security bugs to Squid Bugs <squid-bugs@lists.squid-
128 cache.org>
129
130 Report ideas for new improvements to the Squid Developers mailing list
131 <squid-dev@lists.squid-cache.org>
132
134 squid(8), GPL(7),
135 The Squid FAQ wiki https://wiki.squid-cache.org/SquidFaq
136 The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
137
138
139
140 security_file_certgen(8)