I need to install fiddler on multiple machines, and I need to enable https by default and install the certificate by itself. I don't want to do it manually using the UI.
Is there such an option ?
Or, is there a command line I use to install the certificate ? I can enable https mode by changing it in the registry directly, but I still need to install the certificate. I tried winhttpcertcfg but it installs the certificate in the Root instead of Personal store.
Automation of this scenario is not presently an officially supported operation.
You can have an installer/batch file create a self-signed root for Fiddler to use, then have it automatically installed in Windows' Trusted Store.
Note you'll need to do this from an elevated command prompt.
makecert -ss my -n "CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -eku 1.3.6.1.5.5.7.3.1 -r -a sha1 -cy authority
certmgr /add /c /s my /n DO_NOT_TRUST_FiddlerRoot /s root
Related
I have configured the android Phone (Samsung Galaxy S8) to use proxy. I can connect to mitm.it. I can also see some requests captured by Mitmproxy.
However, I got no internet connection when I try to search anything in Google.
Any hints on what happened and how to fix it?
Android 7.1 and higher do not longer allow the use of custom certificates manually added by the user but if you have a phone with super user access, you can make it work via ADB.
Android stores its system certificates in /system/etc/security/cacerts/. If you take a look at your device, you will see that the certificates have hashed names, eg. "a1234b0d.0". To intercept app traffic, you need to find out the hash of your certificate
openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.pem | head -1
Then rename your certificate accordingly
mv mitmproxy-ca-cert.pem <your_hash_value_in_here_without_carets>.0
And finally move it to where your device's system certificates are. For this, however, you need to remount the system directory first in order to get write access
adb shell su -c "mount -o rw,remount,rw /system"
adb push your_certificate /sdcard/your_certificate
adb shell su -c "mv /sdcard/your_certificate /system/etc/security/cacerts/your_certificate"
adb shell su -c "chmod 644 /system/etc/security/cacerts/your_certificate"
adb reboot
If that doesn't work, I can remember (not the source, though) reading about Android Nougat also not regarding certificates that expire in more than 2 years. The certificates created by mitmproxy should be fine. Burpsuite or Fiddler ones did not work for me though.
Google Apps use certificate pinning and so it can detect the "fake" http://mitm.it/cert/pem that you downloaded to your phone.
I'm trying to use SignTool.exe to code sign an executable with a certificate installed into the Windows certificate store. I'm able to get it to work by installing the cert into the Local Machine/Personal section and then running as an administrator, but I can't seem to work out the right place where the certificate needs to be installed to run as the current user.
I've installed the cert into Current User/Personal and when I do:
Get-ChildItem -Path Cert:\CurrentUser\My
the certificate is in the list. But when I try sign with:
& "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe"
sign /v /n "West Wind Technologies"
/s MY
/tr "http://timestamp.digicert.com" /td SHA256 /fd SHA256
".\Builds\CurrentRelease\MarkdownMonsterSetup.exe"
running as a non-admin user it doesn't work. I get:
SignTool Error: No certificates were found that met all the given criteria.
If I add the /sm flag and run run as an administrator and have it in the personal store - it works.
Where do I have to put the certificate in the cert store to get it to run without administrator rights?
For the current user you can use Certmgr to import it to the Personal folder.
I use the signtool /n option.
A bit more difficult is when you use signtool in a automated environment as (if your security is setup correctly) the build agent is running under limited service account. An option could be to use a file then.
I am having trouble finding a specific example for how I specify a self-signed certificate for IIS Express - Visual Studio 2015 - rather than the default generated 'localhost' certificate.
I'd like to use one from my personal self-signed certificates store to correspond with a specific domain I am using during development.
I cannot locate where to specify the certificate (or its footprint).
You can use makecert to do that, long time ago I wrote a document on how to do that and you can find the blog here:
http://www.hanselman.com/blog/WorkingWithSSLAtDevelopmentTimeIsEasierWithIISExpress.aspx
the key call is:
makecert -r -pe -n "CN=HANSELMAN-W500" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
where you can choose the CNAME that you want there.
I have a app (.NET) that automatically adds a certificate to the Windows root store via:
X509Store rootStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
rootStore.Open(OpenFlags.ReadWrite);
rootStore.Add(certificate);
rootStore.Close();
Internet Explorer then knows this certificate. But Firefox don't as it has its own certificate store.
Is there any way to accomplish this without overriding current Firefox certificates (read somewhere to copy cert8.db but thats not possible due to multiple customers)?
I simply want to automatically "add" one certificate to the Firefox store.
Thank you in advance.
You can use NSS to manage certificates on the local install. Not sure how well it plays with .NET (if at all) but if the environment is predictable you could probably resort to running an executable.
First try which already works nearly as I want:
The documentation is here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil
I downloaded the binaries from:
https://www.felixrr.pro/wp-content/uploads/2012/06/nss-3.13.5-nspr-4.9.1-compiled-x86.zip
Then run the following commands from within the extracted zip-directory (otherwise CMD would use certutil of Windows) which worked:
// Add certificate to cert8.db (Db will be reloaded on next FF start)
certutil.exe -A -n "SomeName" -t "Cu,p,p" -i "C:\Test\cert.pem" -d "%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\5drs48sb.default"
// Show all certificates in cert8.db
certutil.exe -L -d "%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\5drs48sb.default"
After restarting FF I could successfully navigate to my SSL page without certificate error.
The only command that didnt work yet is the delete command which returns the error 'certutil.exe: could not find certificate named "SomeName": security library: bad database.':
certutil.exe -D -n "SomeName" -d "%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\5drs48sb.default"
I am trying to setup my dart http server to run only with https. So I gather I need to use HttpServer.bindSecure but I'm not clear from the description what needs to be passed in as certificateName and whether requestClientCertificate being true makes it more or less secure, or has no impact on security what so ever. The small sample code at the top of the HttpServer page passes in certificateName: 'localhost_cert' but before that it does something with a database, but doesn't seem to use it in anyway. Can anyone explain in more detail what these values are and what they need to be in order to make them secure?
The requestClientCertificate parameter of bindSecure is used to specify a client certificate. Client certificates are used by servers to identify and authorize clients, which appears not to be the objective of this question. It should be noted that there is a known issue with using client certificates in Dart on IE9 and Windows 7.
The certificateName parameter is used to specify the nickname of a certificate that exists in your certificate database. You specify the certificate nickname using the -n <nickname> option when importing a certificate to your database using certutil.
Use the following steps to:
Install the NSS utility (including certutil),
Create a new certificate database in directory <dir> with a password <password>, and
Import your self-signed or purchased certificate identified by nickname <host> such that it can be used to create an HTTPS server using the following sample code. Though the nickname can be chosen arbitrarily, we use the host name in this example. These steps have been confirmed working in Ubuntu 14.04 and Dart SDK 1.6 through (currently last stable version) 1.8.3.
Install the NSS utility
sudo apt-get install libnss3-tools
cd to the directory that will contain your certificate database
cd <dir>
Create a password file to use with the certificate database:
echo "<password>" > pwdfile
Create the certificate database
certutil -N -d 'sql:./' -f pwdfile
Either:
Generate a self-signed certificate:
certutil -S -s "cn=<host>" -n "self signed for dart" -x -t "C,C,C" -m 1000 -v 120 -d "sql:./" -k rsa -g 2048 -f pwdfile
where <host> is the host ("common name") for which to generate a certificate, for example "localhost"
Or, purchase a certificate by first creating a signing request for a real domain <host>, for example "myhost.com":
certutil -R -s "CN=<host>, O=None, L=San Diego, ST=California, C=US" -a -g 2048 -o <host>.csr -d "sql:./"
Then specify the content of file <host>.csr when prompted for a CSR upon purchasing a certificate from a signing authority.
Copy the purchased certificate to a file named <host>.crt
Import the certificate to the database
certutil -A -n <host> -t "p,p,p" -i <host>.crt -d "sql:./"
If necessary to use an intermediate certificate, it can be imported as such:
certutil -A -n my_intermediate_certificate -t "p,p,p" -i intermediate.crt -d "sql:./"
where "intermediate.crt" is the intermediate certificate file downloaded from the signing authority.
Verify that the certificates exist in the database
certutil -L -n <host> -d "sql:./"
certutil -L -n my_intermediate_certificate -d "sql:./"
To use this certificate and create an HTTPS server, do the following:
// Initialize secure socket to use certificate database (note: replace `<dir>`
// with the absolute path to the certificate database directory, and `<password>`
// with the value chosen above)
SecureSocket.initialize(database: "<dir>", password: "<password>");
// Bind secure HTTP server to specified host and port (typically 443)
HttpServer.bindSecure("<host>", 443, certificateName: "<host>")
.then((HttpServer httpServer) {
// Listen for incoming requests
httpServer.listen((HttpRequest httpRequest) {
// TODO: process request
});
})
.catchError((error) {
// TODO: handle error
});
Update
I don't have enough reputation points to respond to the comments, so here are additional details that may help answer the questions: Client certificates are not used to encrypt client-server communication and are not needed in the common scenario of establishing secure communication between a web browser and a webserver via HTTPS. The steps outlined above show how to create an HTTPS server in Dart using bindSecure.