ssl bump, CA certificate renewal, how to?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl bump, CA certificate renewal, how to?

Dmitry Melekhov

Hello!

According  to

https://wiki.squid-cache.org/Features/DynamicSslCert

recommended way to create certificate 

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out myCA.pem

we can create certificate for longer time.

But sooner or later we'll have to renew it.

In this case, once we replaced certificate, it should be immediately replaced on user's computers,
not easy task, I don't sure it can be achieved in our environment.

We had the same issue with openvpn, fortunately it can check certificates from several ca's places in the same file,
so we had old and new certificates for some time.

I don't know is it possible to do something similar with squid and dynamic certificate generation,
I know it does not work now.

Could you share your experience? How do you replace certificates?

Thank you!



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl bump, CA certificate renewal, how to?

Eliezer Croitoru

With squid 4.x or even 3.5 you can use an intermediate CA.

So you will have the root key and certificate somewhere safe and renew the intermediate root CA every year or two.

 

The main root CA should be created at-least for a period of 5 years to allow this dynamicity you probably need.

 

Eliezer

 

  • I have seen security companies( AV ) that updates their root ca certificate using the AV or agent, if running an update file/service every startup is an option we can try to find a nice solution.

 

----

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]

cid:image001.png@01D2675E.DCF360D0

 

From: squid-users <[hidden email]> On Behalf Of Dmitry Melekhov
Sent: Tuesday, January 15, 2019 07:02
To: [hidden email]
Subject: [squid-users] ssl bump, CA certificate renewal, how to?

 

Hello!

According  to

https://wiki.squid-cache.org/Features/DynamicSslCert

recommended way to create certificate 

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out myCA.pem
 
we can create certificate for longer time.
 
But sooner or later we'll have to renew it.
 
In this case, once we replaced certificate, it should be immediately replaced on user's computers,
not easy task, I don't sure it can be achieved in our environment.
 
We had the same issue with openvpn, fortunately it can check certificates from several ca's places in the same file,
so we had old and new certificates for some time.
 
I don't know is it possible to do something similar with squid and dynamic certificate generation,
I know it does not work now.
 
Could you share your experience? How do you replace certificates?
 
Thank you!
 
 

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl bump, CA certificate renewal, how to?

Dmitry Melekhov


15.01.2019 20:52, [hidden email] пишет:

With squid 4.x or even 3.5 you can use an intermediate CA.

So you will have the root key and certificate somewhere safe and renew the intermediate root CA every year or two.

 

The main root CA should be created at-least for a period of 5 years to allow this dynamicity you probably need.

 

Eliezer


5 years, really, not very long period of time, if I'll be sure to not work here in 5 years then I'll use this ;-) , unfortunately I'm not :-(

I don't need to replace certificate every year or so, but I need to have minimal service interruption for every user during certificate replacement,

and I'm sure that certificate will need replacement for some reason.


 

  • I have seen security companies( AV ) that updates their root ca certificate using the AV or agent, if running an update file/service every startup is an option we can try to find a nice solution.

Download certificate at every boot or user login....

This is good idea, thank you!



 

----

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]

cid:image001.png@01D2675E.DCF360D0

 

From: squid-users [hidden email] On Behalf Of Dmitry Melekhov
Sent: Tuesday, January 15, 2019 07:02
To: [hidden email]
Subject: [squid-users] ssl bump, CA certificate renewal, how to?

 

Hello!

According  to

https://wiki.squid-cache.org/Features/DynamicSslCert

recommended way to create certificate 

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out myCA.pem
 
we can create certificate for longer time.
 
But sooner or later we'll have to renew it.
 
In this case, once we replaced certificate, it should be immediately replaced on user's computers,
not easy task, I don't sure it can be achieved in our environment.
 
We had the same issue with openvpn, fortunately it can check certificates from several ca's places in the same file,
so we had old and new certificates for some time.
 
I don't know is it possible to do something similar with squid and dynamic certificate generation,
I know it does not work now.
 
Could you share your experience? How do you replace certificates?
 
Thank you!
 
 

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl bump, CA certificate renewal, how to?

FredB-2
In reply to this post by Eliezer Croitoru
Now squid can get directly the intermediate CA as a browser does, it's a
very interesting feature to me

Maybe I'm missing something, but I can see the request from squid now
(with squid 4) it's a good point, my sslbump config is very basic,
perhaps to basic cl step at_step SslBump1

ssl_bump peek step1 all

ssl_bump splice nobump -> just simple acl dstdomain

ssl_bump splice nobump



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl bump, CA certificate renewal, how to?

FredB-2
Sorry wrong topic

Le 15/01/2019 à 18:08, FredB a écrit :

> Now squid can get directly the intermediate CA as a browser does, it's
> a very interesting feature to me
>
> Maybe I'm missing something, but I can see the request from squid now
> (with squid 4) it's a good point, my sslbump config is very basic,
> perhaps to basic cl step at_step SslBump1
>
> ssl_bump peek step1 all
>
> ssl_bump splice nobump -> just simple acl dstdomain
>
> ssl_bump splice nobump
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl bump, CA certificate renewal, how to?

Bruno de Paula Larini
In reply to this post by Dmitry Melekhov
Em 15/01/2019 15:01, Dmitry Melekhov escreveu:

>
> 5 years, really, not very long period of time, if I'll be sure to not
> work here in 5 years then I'll use this ;-) , unfortunately I'm not :-(
>
> I don't need to replace certificate every year or so, but I need to
> have minimal service interruption for every user during certificate
> replacement,
>
> and I'm sure that certificate will need replacement for some reason.
>
If your clients are running Windows and are AD members, you could
distribute the certificates very easily via GPO. If not I can only think
of a scripted solution on client's side, as Eliezer suggested.
As for avoiding the downtime, try to add, not replace the new one in the
clients' certificate store beforehand. When you're certain that all of
the clients are updated, then switch the Squid's CA.

-Bruno
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl bump, CA certificate renewal, how to?

Dmitry Melekhov
15.01.2019 21:33, Bruno de Paula Larini пишет:

> Em 15/01/2019 15:01, Dmitry Melekhov escreveu:
>>
>> 5 years, really, not very long period of time, if I'll be sure to not
>> work here in 5 years then I'll use this ;-) , unfortunately I'm not :-(
>>
>> I don't need to replace certificate every year or so, but I need to
>> have minimal service interruption for every user during certificate
>> replacement,
>>
>> and I'm sure that certificate will need replacement for some reason.
>>
> If your clients are running Windows and are AD members, you could
> distribute the certificates very easily via GPO. If not I can only
> think of a scripted solution on client's side, as Eliezer suggested.

I guess we have not more 1/3 of computers in AD, and not all of them are
windows , we also have linux and macos...


> As for avoiding the downtime, try to add, not replace the new one in
> the clients' certificate store beforehand. When you're certain that
> all of the clients are updated, then switch the Squid's CA.
>
> -Bruno


Thank you very much, this simple and efficient :-)


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl bump, CA certificate renewal, how to?

Eliezer Croitoru
In reply to this post by Bruno de Paula Larini
+1

If the certificate is still working do the updates step by step and when you have successfully distributed the certificate make the switch.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Bruno de Paula Larini
Sent: Tuesday, January 15, 2019 19:33
To: [hidden email]
Subject: Re: [squid-users] ssl bump, CA certificate renewal, how to?

Em 15/01/2019 15:01, Dmitry Melekhov escreveu:

>
> 5 years, really, not very long period of time, if I'll be sure to not
> work here in 5 years then I'll use this ;-) , unfortunately I'm not :-(
>
> I don't need to replace certificate every year or so, but I need to
> have minimal service interruption for every user during certificate
> replacement,
>
> and I'm sure that certificate will need replacement for some reason.
>
If your clients are running Windows and are AD members, you could
distribute the certificates very easily via GPO. If not I can only think
of a scripted solution on client's side, as Eliezer suggested.
As for avoiding the downtime, try to add, not replace the new one in the
clients' certificate store beforehand. When you're certain that all of
the clients are updated, then switch the Squid's CA.

-Bruno
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users