Re: [squid-users] getting a CA to take PEM format csrs

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 27 Aug 2003 02:07:46 +0200

The Thawte guide for Apache mod_ssl works just fine for Squid, and
their instructions does generate a PEM formatted CSR... and Thawte
gives you a PEM formatted certificate back if you follow this
procedure.

The Apache guys have not confused the file formats. Apache mod_ssl
wants PEM formatted certificates just as Squid. This is different
from the DER format expected by many others but has the major benefit
that the certificate can be exchanged in plain text email etc..

However, if you have a CA which insists in binary DER certificates
then OpenSSL have options to convert these to/from PEM format if
needed.

The error you are seeing probably means that your Squid binary is not
SSL enabled.. what does "squid -v" say about your configure options?
And is there any comments regarding configure options next to the
https_port option in your squid.conf.default?

Regards
Henrik

On Tuesday 26 August 2003 23.24, Jonathan Giles wrote:
> hello:
>
> I have a working config for an https accel setup, but I have hit a
> big problem. I have looked over the lists and have not found how
> other people deal with this.
>
> I work with Thawte.com to get other certs for other https (apache)
> servers, and they have told me they do not accept PEM anything.
> And I understand that the csr must be in PEM for a CA to issue a
> PEM crt. Thawte has told me it will be really hard to find a CA
> that accepts PEM.
>
> How have other people here delt with this?
>
> Here attached is Thawte's response to my request.
>
> "Hi Jonathan
>
> The PEM format requirement is misleading, as the PEM format
> mentioned actually refers to a standard DER format certificate, the
> guys developing
> the Apache standards seem to have confused the file types.
> Therefore since
> you are able to generate standard format CSRs, squid should also
> work with
> standard format certificates, even though Apache and squid are not
> the same
> they share the same openssl libraries.
>
> What error message do you receive when you restart the daemon?
> Please send
> us the error logs."
>
> Of course my logs just say Bungled conf file at the config
>
> Aug 25 17:22:29 owa squid: Bungled squid.conf line 62: https_port
> 443 cert=/etc/openssl/certs/owa.clinedavis.com.test.crt
> key=/etc/openssl/private/owa.clinedavis.com.key
>
> This is using the crt and key that was created using Thawte's
> directions.
>
> Any suggestions would be greatly appreciated!
>
> jg
>
>
>
>
>
> ---=---=---
> Jonathan Giles
> Senior Unix Administrator
> Cline Davis Mann
> ---
> Privileged/Confidential Information may be contained in this
> message. If you are not the addressee indicated in this message
> (or responsible for delivery of the message to such person), you
> may not copy or deliver this message to anyone. In such case,
> you should destroy this message and kindly notify the sender
> by reply e-mail. Please advise immediately if you or your
> employer do not consent to Internet e-mail of this kind.
> Opinions, conclusions, and other information in this message
> that do not relate to the official business of CDM shall
> be understood as neither given nor endorsed by it.

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Tue Aug 26 2003 - 18:09:32 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:07 MST