Manually Regenerate Trusted Root SSL Certificate for Squid

Warning

Please ensure your Squid Proxy is in the same TIMEZONE as your browsers. This is important as generating a self signed Trusted Root CA certificate in incorrect time zone may create a certificate that is valid in the future (depending on in which timezone your Squid proxy is in). If you install this certificate into browsers you will get CERTIFICATE NOT YET VALID error message!

To manually generate new Trusted Root CA Certificate for Squid run the following commands. DO NOT USE PASSWORD when generating certificates, otherwise Squid will not be able to use them!

$ openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -keyout myca.pem -out myca.pem
$ openssl x509 -in myca.pem -outform DER -out myca.der
$ cp myca.pem /opt/websafety/etc
$ cp myca.der /opt/websafety/etc

Reinitialize Mimicked SSL Certificate Storage

If you had SSL inspection activated before, then some generated SSL certificates may have been stored by Squid on disk to speed up SSL filtering. These certificates need to be manually removed in order for the new certificates to work correctly. The following steps show how to do it in Ubuntu or CentOS.

Ubuntu 16 LTS, Debian 8, Raspberry PI 2

The folder where cached SSL certificates are stored is specified in ssl_crtd option in squid configuration file. Use the output of squid -k parse | grep ssl_crtd command to find it out. If you have followed our installation guide for Ubuntu the folder is /var/spool/squid_ssldb.

To reinitialize the certificate storage type the following commands.

$ sudo rm -R -f /var/spool/squid_ssldb
$ sudo /usr/lib/squid/ssl_crtd -c -s /var/spool/squid_ssldb
$ sudo chown -R proxy:proxy /var/spool/squid_ssldb

Finally restart your Squid proxy.

sudo systemctl restart squid

CentOS 7

The folder where cached SSL certificates are stored is specified in ssl_crtd option in squid configuration file. Run squid -k parse | grep ssl_crtd to find it out. If you have followed our installation guide for CentOS the folder is /var/spool/squid_ssldb.

To reinitialize the certificate storage type the following commands as root.

rm -R -f /var/spool/squid_ssldb
/usr/lib64/squid/ssl_crtd -c -s /var/spool/squid_ssldb
chown -R squid:squid /var/spool/squid_ssldb

Finally restart your Squid proxy.

systemctl restart squid