I've got a Squid proxy server using the sslbump feature that works fine with self-signed certs, but the browsers complain about it. Now I'm trying to setup the Squid server as a subordinate CA of our Active Directory CA so that the browsers trust the certs created by Squid. Here's an overview of what I'm doing that's not working:
- Creating a CSR with openssl on the squid server
- pasting that CSR into Microsoft AD Certicicate Services (using the
Subordinate CA template) - Taking the resulting Base-64 cert and putting it on the Squid server
This results in the browsers complaining about the certs. When I view the cert from within the browser I always get the following error: "Windows does not have enough information to verify this certificate", and there are no CAs in the certification path.
The steps I listed above are in greater detail here. Certs aren't my strong point, and I'm not sure where to go from here. I feel like the issue might be related to how I created the CSR, or possibly that my understanding of the process is fundamentally wrong. Any help is appreciated.
And yes, our end users are aware of this.
Best Answer
The answer may be late but anyway - you need to cat private key and subordinate certificate that you got from your Enterprise CA together to make a pem out of it that can be used in ssl-bump's cert= directive.
More info at https://blog.diladele.com/2017/03/21/using-subordinate-ca-for-https-decryption-in-active-directory-integrated-squid/