Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
security_file_certgen(8)    System Manager's Manual   security_file_certgen(8)

NAME
       security_file_certgen - SSL certificate generator for Squid.

       Version 1.1

SYNOPSIS
       security_file_certgen [-cdhv] [-s directory -M size ] [-b fs_block_size
       ]

DESCRIPTION
       security_file_certgen is	an installed binary.

       Because the generation and signing of SSL certificates takes time Squid
       can  use	this helper as an external process to handle the work.	Commu-
       nication	occurs via TCP sockets bound to	the loopback interface.	  This
       helper  can  use	a disk cache of	certificates to	improve	response times
       on repeated requests. It	can also operate without a  cache,  generating
       new certificates	on every request.

OPTIONS
       -b fs_block_size
		   File	system block size in bytes. Needed for processing nat-
		   ural	size of	certificate on disk.  Default  value  is  2048
		   bytes.  The following suffixes are accepted:	B, KB, MB, GB.
		   When	no suffix is set, B is assumed.

       -c	   Initialize the SSL storage database and exit. Requires  the
		   -s  and  -M	options	 to determine the storage location and
		   size	being created.

       -d	   Write debug info to stderr.

       -h	   Display the binary help and command line syntax info	 using
		   stderr.

       -s directory
		   Directory path of SSL storage database. Requires the	-M op-
		   tion.

       -M size	   Maximum size	of SSL certificate disk	storage. Same suffixes
		   supported by	the -b option can be used.

       -v	   Display the binary version details using stderr.

KNOWN ISSUES
       SSL errors after	changing the CA

       Certificates  are  stored  in  this database in signed form.  After any
       change to the signing CA	in squid.conf be sure to erase and  reinitial-
       ize the certificate database.

       Certificate chaining

       The  versions 1.0 to 1.1	of this	helper will not	add chained intermedi-
       ate CA certificates.  The client	must have a full chain of  trust  from
       the  root  CA all the way down to the end certificate generated by this
       program.	 Signing with an intermediate CA needs	to  install  both  the
       root and	the intermediate public	CA on the clients.

CONFIGURATION
       Before  this helper can be used with disk storage, the storage area for
       new certificates	must be	initialized manually.  This is done  from  the
       command line using the -c parameter.

       For example:
	      /usr/local/libexec/squid/security_file_certgen	   -c	    -s
	      /var/squid/cache/ssl_db -M 4MB

       Certificates are	stored in this database	in  signed  form.   After  any
       change to the signing CA	in squid.conf be sure to erase and re-initial-
       ize the certificate database.

       For simple configuration	the helper defaults can	be  used.   Only  HTTP
       listening  port	options	 are required to enable	generation and set the
       signing CA certificate.

       For example:
	      http_port	 3128	ssl-bump   generate-host-certificates=on   dy-
	      namic_cert_mem_cache_size=4MB			 cert=/usr/lo-
	      cal/etc/squid/ssl_cert/example.com.pem

       For more	customized configuration, the helper certificate  storage  di-
       rectory	location and size can be altered with the sslcrtd_program con-
       figuration directive. The number	of helper  processes  running  can  be
       configured with the and ssl_crtd_children configuration directive.

       For example:
	      sslcrtd_program	/usr/local/libexec/squid/security_file_certgen
	      -s /var/squid/cache/ssl_db -M 4MB
	      sslcrtd_children 5

       To operate without disk storage,	the helper should  be  configured  ex-
       plicitly	without	the -s and -M parameters.

       For example:
	      sslcrtd_program /usr/local/libexec/squid/security_file_certgen

AUTHOR
       This program was	written	by Christos Tsantilas _christos@chtsanti.net_

       This  manual  was written by Christos Tsantilas _christos@chtsanti.net_
       and Amos	Jeffries _amosjeffries@squid-cache.org_

COPYRIGHT
	* Copyright (C)	1996-2020 The Squid Software Foundation	and  contribu-
       tors
	*
	* Squid	software is distributed	under GPLv2+ license and includes
	* contributions	from numerous individuals and organizations.
	* Please see the COPYING and CONTRIBUTORS files	for details.

QUESTIONS
       Questions  on  the usage	of this	program	can be sent to the Squid Users
       mailing list <squid-users@lists.squid-cache.org>

REPORTING BUGS
       Bug reports  need  to  be  made	in  English.   See  http://wiki.squid-
       cache.org/SquidFaq/BugReporting for details of what you need to include
       with your bug report.

       Report bugs or bug fixes	using http://bugs.squid-cache.org/

       Report serious security bugs  to	 Squid	Bugs  _squid-bugs@lists.squid-
       cache.org_

       Report  ideas for new improvements to the Squid Developers mailing list
       <squid-dev@lists.squid-cache.org>

SEE ALSO
       squid(8), GPL(7),
       The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
       The Squid Configuration Manual http://www.squid-cache.org/Doc/config/

						      security_file_certgen(8)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | KNOWN ISSUES | CONFIGURATION | AUTHOR | COPYRIGHT | QUESTIONS | REPORTING BUGS | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=security_file_certgen&sektion=8&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help