sslproxy_cert_adapt <adaptation algorithm> acl ...
The following certificate adaptation algorithms are supported:
setValidAfter
Sets the "Not After" property to the "Not After" property of
the CA certificate used to sign generated certificates.
setValidBefore
Sets the "Not Before" property to the "Not Before" property of
the CA certificate used to sign generated certificates.
setCommonName or setCommonName{CN}
Sets Subject.CN property to the host name specified as a
CN parameter or, if no explicit CN parameter was specified,
extracted from the CONNECT request. It is a misconfiguration
to use setCommonName without an explicit parameter for
intercepted or tproxied SSL connections.
This clause only supports fast acl types.
Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
corresponding adaptation algorithm to generate the certificate and
ignores all subsequent sslproxy_cert_adapt options in that algorithm's
group (i.e., the first match wins within each algorithm group). If no
acl(s) match, the default mimicking action takes place.
WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
CONNECT request that carries a domain name. In all other cases (CONNECT
to an IP address or an intercepted SSL connection), Squid cannot detect
the domain mismatch at certificate generation time when
bump-server-first is used.