ssl_crtd(8)ssl_crtd(8)NAMEssl_crtd - SSL certificate generator.
Version 1.0
SYNOPSISssl_crtd [-dhv] ssl_crtd [-d] -s directory [-M size ] ssl_crtd [-d] -c
-s directory [-n] serial number ssl_crtd [-d] -g -s directory
DESCRIPTIONssl_crtd is an installed binary.
Because the generation and signing of SSL certificates takes time Squid
must use external process to handle the work. This process generates
new SSL certificates and uses a disk cache of certificatess to improve
response times on repeated requests. Communication occurs via TCP
sockets bound to the loopback interface.
OPTIONS-b fs_block_size
File system block size in bytes. Needed for processing nat‐
ural size of certificate on disk. Default value is 2048
bytes.
-c Initialize the SSL storage database and exit. Requires the
-s option to determine the storage location being created.
-d Write debug info to stderr.
-g Display the current serial number using stderr and exit.
Requires -s option to determine which storage directory the
serial is located in.
-h Display the binary help and command line syntax info using
stderr.
-s directory
Directory path of disk storage for new SSL certificates.
-M size Maximum size of SSL certificate disk storage.
-n serial number
HEX serial number to use when initializing an SSL storage
database. The default value of serial number is the number
of seconds since Epoch minus 1200000000.
-v Display the binary version details using stderr.
KNOWN ISSUES
SSL errors after changing the CA
Certificates are stored in this database in signed form. After any
change to the signing CA in squid.conf be sure to erase and re-initial‐
ize the certificate database.
Certificate chaining
The version 1.0 of this helper will not add chained intermediate CA
certificates. The client must have a full chain of trust from the root
CA all the way down to the end certificate generated by this program.
Signing with an intermediate CA needs to install both the root and the
intermediate public CA on the clients.
CONFIGURATION
Before this helper can be used the storage area for new certificates
must be initialized manually. This is done from the command line using
the -c parameters.
For example:
ssl_crtd-c -s /var/lib/ssl_db
Certificates are stored in this database in signed form. After any
change to the signing CA in squid.conf be sure to erase and re-initial‐
ize the certificate database.
For simple configuration the helper defaults can be used. Only HTTP
listening port options are required to enable generation and set the
signign CA certificate. For Example:
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/usr/local/squid/ssl_cert/www.sample.com.pem
For more customized configuration the helper certificate storage direc‐
tory location and size can be altered with the sslcrtd_program configu‐
ration directive. For example:
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 5
AUTHOR
This program was written by Christos Tsantilas <christos@chtsanti.net>
This manual was written by Christos Tsantilas <christos@chtsanti.net>
Amos Jeffries <squid3@treenet.co.nz>
COPYRIGHT
This program and documentation is copyright to the authors named above.
Distributed under the GNU General Public License (GNU GPL) version 2 or
later (GPLv2+).
QUESTIONS
Questions on the usage of this program can be sent to the Squid Users
mailing list <squid-users@squid-cache.org>
REPORTING BUGS
Bug reports need to be made in English. See http://wiki.squid-
cache.org/SquidFaq/BugReporting for details of what you need to include
with your bug report.
Report bugs or bug fixes using http://bugs.squid-cache.org/
Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>
Report ideas for new improvements to the Squid Developers mailing list
<squid-dev@squid-cache.org>
SEE ALSOsquid(8), GPL(7),
The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
ssl_crtd(8)