Good. Well done.
That won't work.
Indeed.
SSL? Yes.

SSL Bump / interception, no - because if it did, you'd have a globally-trusted
certificate which you could use to fake any website on the Internet.

Security? The CA who gave you that certificate would disappear.


Antony.

Hey,

How should that work? That would require an ca to sign your selfsigney ca to be able to issue valid public certs for all websites. If that would be possible, then the whole concept of ssl security would be worth nothing. You cant create valid certificates for such websites. You can only issue certs that are valid in your organisation only. Therefore the selfsigned ca needs to be trusted by your clients by adding it in the trust root authorities. There is no other way, wait, there is, do not try to intercept ssl secured connections. So you cant look in the traffic as it is supposed to be. Or break it and live with the needs required for this. If you have no valid reason to intercept sich traffic then just dont do it.

You can set up your own internal CA. You then have the CA key (so can
generate certificates for any domain) and install the CA public
certificate on all client machines.


That CA can be anything from a local CA on the squid box, using a
central VM with something like XCA installed, all the way to an
enterprise HSM.


But you must have the CA key. There is no way a commercial CA would give
you a universal signing key.


Alex