[squid-users] Does Squid support two intermediate certificates from different root CAs (same CSR) for sslbump?

[Alex Rousskov]

On 2025-12-05 09:50, Dieter Bloms wrote:

> We have been using Squid with SSLBump for years.
> The RootCA will expire next year, which is why we have already created a
> new RootCA. Since there are still many proprietary clients that do not yet
> have the new RootCA, I have two intermediate certificates (one from the
> old and one from the new RootCA) two intermediate certificates for the intermediate certificate using
> the very same CSR.
> 
> Now I have copied these two certificates together with the private key
> into a PEM file (first the certificates, then the key), but only the
> first certificate is ever delivered.

IIRC, Squid sends the [intermediate] certificate that it used to 
issue/sign the generated host/leaf certificate.


> Is there a way to have the second certificate delivered as well

No, Squid does not send "extra" intermediate certificates (i.e. 
certificates that are not necessary to complete the chain).

Sending "extras" would violation TLS protocol rules and cause 
interoperability problems with some clients: RFC 8446 says that "The 
sender's certificate MUST come in the first CertificateEntry in the 
list. Each following certificate SHOULD directly certify the one 
immediately preceding it."


> so that
> clients with the old RootCA and clients with the new RootCA can verify
> the certificates issued by Squid?
> 
> Or is there a better solution in general if the certificates issued by
> Squid are to be temporarily validated by two RootCAs?

It sounds like you are already cross-signing the intermediate 
certificate, which is the right thing to do in this case.

You may provide intermediate certificate B to AIA-aware clients via AIA 
in the leaf certificate issued by intermediate certificate A (where A 
and B are cross-signed/issued by your two roots). Not all clients 
support AIA, of course.


HTH,

Alex.