Ben Laurie wrote: || Errr - its tricky anyway, coz the cert has to match the final || destination, and, by definition almost, that can't be the proxy. provided you can impose a CA cert onto the user browser (not hard in a corporate environment) it isn't as if signing a certificate "on the fly" is hard - consider the following 1. proxy has CA private key A and SSL public key B 2. client requests connect to SSL on xxx.yyy.zzz.com 3. proxy uses OpenSSL library to create certificate for xxx.yyy.zzz.com on the fly (with Public key B) signed by CA key A 4. proxy opens SSL link to xxx.yyy.zzz.com 5. if step 4 succeeds, proxy sends cert to client 5. client checks cert against its own local copy of public key A (from its root cert dir) which claims to be "thawte, inc" 6. client approves link and negotiates SSL with proxy 7. proxy links its connection to xxx.yyy.zzz.com to inbound client connection 8. proxy passes (and logs) packets