Distribute root certificate to clients

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Distribute root certificate to clients

Nicolas Kovacs
Hi,

I have a few prospective clients who want/need to log and monitor all
their web traffic and asked me to find a viable solution for this.

After a couple of weeks of fiddling, I decided to opt for the
Squid+SquidAnalyzer setup, which works quite well. I have a sandbox
installation here in my office that already works quite satisfyingly.

While working out the solution (thanks again to you guys, you know who
you are), I took some extensive notes on my technical blog:

  * https://blog.microlinux.fr/squid-centos/

  * https://blog.microlinux.fr/squid-https-centos/

  * https://blog.microlinux.fr/squidanalyzer-centos/

  * https://blog.microlinux.fr/squid-exceptions/

I have yet one problem to tackle, and I already have a solution in mind.
Though I thought I'd rather ask here first, since this is a bit new to
me, and you guys have much more experience.

Most of my clients are small businesses with up to a few dozen client
PCs, and also wireless access.

The problem I'm currently facing is: how to provide an easy installation
of Squid's root certificate? During my tests, I wrote some short
instructions for my Linux clients with Firefox, Chrome and Konqueror:

https://blog.microlinux.fr/squid-https-centos/#navigateurs

Here's what I intend to do. Configure a local web page
http://proxy.company.lan where clients can download the certificate file
proxy.company.lan.der. This page also contains quick & dirty
instructions on how to install the certificate on the most popular
browsers/platforms (Chrome, Firefox, Safari, Internet Explorer).

Each company will also have a printed document, explaining how to access
the Internet. Something like this:

  1. Open http://proxy.company.lan in your browser.

  2. Download the proxy.company.lan.der certificate file.

  3. Follow instructions to import this file into your browser.

  4. Browse the web normally.

Before doing that, I thought I'd inquire how you guys go about that. As
a long-time Slackware user I've always been a fan of the KISS principle
(Keep It Simple Stupid), so I try to have a no-nonsense approach.

Any suggestions?

Cheers from the sunny South of France,

Niki

--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : [hidden email]
Tél. : 04 66 63 10 32
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Distribute root certificate to clients

Yuri Voinov
I guess, there is no easy solution for this job.

The more difficult tasks is also mobile clients.

In my case, I use just a bit simple JS-trick solution found on
serverfault once upon a time.

It is point-and-click based, but not works for each and every browser.
Just for Chrome-based/Firefox and MS Edge (with some difficults).

Also, don't forget about such thing like JRE. Sometimes it also requires
to install cache root CA.

And, such thing as Thunderbird - it does not share certificate store
with FF.

12.03.2018 15:40, Nicolas Kovacs пишет:

> Hi,
>
> I have a few prospective clients who want/need to log and monitor all
> their web traffic and asked me to find a viable solution for this.
>
> After a couple of weeks of fiddling, I decided to opt for the
> Squid+SquidAnalyzer setup, which works quite well. I have a sandbox
> installation here in my office that already works quite satisfyingly.
>
> While working out the solution (thanks again to you guys, you know who
> you are), I took some extensive notes on my technical blog:
>
>   * https://blog.microlinux.fr/squid-centos/
>
>   * https://blog.microlinux.fr/squid-https-centos/
>
>   * https://blog.microlinux.fr/squidanalyzer-centos/
>
>   * https://blog.microlinux.fr/squid-exceptions/
>
> I have yet one problem to tackle, and I already have a solution in mind.
> Though I thought I'd rather ask here first, since this is a bit new to
> me, and you guys have much more experience.
>
> Most of my clients are small businesses with up to a few dozen client
> PCs, and also wireless access.
>
> The problem I'm currently facing is: how to provide an easy installation
> of Squid's root certificate? During my tests, I wrote some short
> instructions for my Linux clients with Firefox, Chrome and Konqueror:
>
> https://blog.microlinux.fr/squid-https-centos/#navigateurs
>
> Here's what I intend to do. Configure a local web page
> http://proxy.company.lan where clients can download the certificate file
> proxy.company.lan.der. This page also contains quick & dirty
> instructions on how to install the certificate on the most popular
> browsers/platforms (Chrome, Firefox, Safari, Internet Explorer).
>
> Each company will also have a printed document, explaining how to access
> the Internet. Something like this:
>
>   1. Open http://proxy.company.lan in your browser.
>
>   2. Download the proxy.company.lan.der certificate file.
>
>   3. Follow instructions to import this file into your browser.
>
>   4. Browse the web normally.
>
> Before doing that, I thought I'd inquire how you guys go about that. As
> a long-time Slackware user I've always been a fan of the KISS principle
> (Keep It Simple Stupid), so I try to have a no-nonsense approach.
>
> Any suggestions?
>
> Cheers from the sunny South of France,
>
> Niki
>
--
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment