./configure --with-openssl --enable-ssl-crtd
/usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db/
chown -R nobody:nogroup /var/lib/ssl_db

# make sure these lines are present in squid.conf
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl/myCA.pem
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump bump all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
  • Create a private key and public x509 certificate with v3_req extensions and enabled as a CA:

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout my_site.key -out my_site.crt -reqexts v3_req -extensions v3_ca

  • cat my_site.key > myCA.pem ; cat my_site.crt >> myCA.pem ; cp myCA.pem /usr/local/squid/etc/ssl/

  • Convert the certificate to DER format, which is understood by Android:

    sudo openssl x509 -in my_site.crt -outform der -out my_site.der.crt

  • Use any method to get the my_site.der.crt to your Android device - I found it easy to just have the file hosted by my web server and download it via the Android browser, which then automatically lets you install it.