Manually Regenerate Trusted Root SSL Certificate for Squid


Please ensure your Squid Proxy is in the same TIMEZONE as your browsers. This is important as generating a self signed Trusted Root CA certificate in incorrect time zone may create a certificate that is valid in the future (depending on in which timezone your Squid proxy is in). If you install this certificate into browsers you will get CERTIFICATE NOT YET VALID error message!

To manually generate new trusted Root CA Certificate for Squid run the following commands. DO NOT USE PASSWORD when generating certificates, otherwise Squid will not be able to use them!

$ openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -keyout myca.pem -out myca.pem
$ openssl x509 -in myca.pem -outform DER -out myca.der
$ cp myca.pem /opt/websafety/etc
$ cp myca.der /opt/websafety/etc

Reinitialize Mimicked SSL Certificate Storage

If you had SSL inspection activated before, then some generated SSL certificates may have been stored by Squid on disk to speed up SSL filtering. These certificates need to be manually removed in order for the new certificates to work correctly. The following steps show how to do it in Ubuntu 22.04.

Ubuntu 22.04

The folder where cached SSL certificates are stored is specified in sslcrtd_program option in squid configuration file. Use the output of squid -k parse 2>&1 | grep security_file_certgen command to find it out. If you have followed our installation guide for Ubuntu the folder is /var/spool/squid/ssldb.

To reinitialize the certificate storage type the following commands.

$ sudo rm -R -f /var/spool/squid/ssldb
$ sudo /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssldb -M 4MB
$ sudo chown -R proxy:proxy /var/spool/squid/ssldb

Finally restart your Squid proxy.

sudo systemctl restart squid