sslproxy_cert_sign <signing algorithm> acl ...

        The following certificate signing algorithms are supported:

	   signTrusted
		Sign using the configured CA certificate which is usually
		placed in and trusted by end-user browsers. This is the
		default for trusted origin server certificates.

	   signUntrusted
		Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
		This is the default for untrusted origin server certificates
		that are not self-signed (see ssl::certUntrusted).

	   signSelf
		Sign using a self-signed certificate with the right CN to
		generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
		browser. This is the default for self-signed origin server
		certificates (see ssl::certSelfSigned).

	This clause only supports fast acl types.

	When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
	signing algorithm to generate the certificate and ignores all
	subsequent sslproxy_cert_sign options (the first match wins). If no
	acl(s) match, the default signing algorithm is determined by errors
	detected when obtaining and validating the origin server certificate.

	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
	CONNECT request that carries a domain name. In all other cases (CONNECT
	to an IP address or an intercepted SSL connection), Squid cannot detect
	the domain mismatch at certificate generation time when
	bump-server-first is used.