Skip to main content
Unix & Linux

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

4
  • "To be clear, a client cert like this is only useful in authenticating yourself to the proxy. You cannot use a cert in the client/browser to authenticate to something on the Internet through ANY HTTPS MitM, and you cannot use a client cert you issue yourself to authenticate to anybody else's system(s) on the Internet." Commented Jun 23, 2016 at 15:40
  • My intent here was to create an https MitM for restricting the hours / sites that my children can access on the internet via Squid 3.3.8 and Dansguardian using a project called GateSentry (abdullahirfan.com/my-projects/gatesentry), so what sorts of certificates do I need to do that? The project itself comes with certificates but I can't trust them, so I'm trying to replace them. I was under the impression that I could self-sign a certificate for that very use. Commented Jun 23, 2016 at 15:41
  • This is why I am under that impression: unix.stackexchange.com/questions/289706/… Commented Jun 23, 2016 at 15:44
  • 1
    @leeand00 The answer on #289706 correctly says an SSL/TLS interceptor like squid+bump must have a CA key and cert, which you should generate yourself so no one else knows the key, and the CA cert (not key) must be installed as a CA cert on your browsers/clients. It does NOT say a client key&cert, which is useless here. This corresponds to only 'root key' and 'root certificate' steps of jamielinux.com/docs/openssl-certificate-authority/… -- no files&dirs for openssl issue (squid does that), no intermediate, no servers and clients. Commented Jun 23, 2016 at 21:20