Is there a way to change the Fiddler's root certificate. I want it for a scenario when the client app uses certificate pinning and I have access to the keystore, whose certificate is being trusted by the client app.
I think you're asking "Can I change the certificate Fiddler uses for a particular site" rather than the root certificate, which is used for all sites.
Yes, if you really do have the private key for the certificate, you can configure Fiddler to use it. Inside Fiddler's Rules > Customize Rules > OnBoot function, you can call either:
CertMaker.StoreCert("example.com", certMyCert);
or
CertMaker.StoreCert("example.com", "C:\\temp\\cert.pfx", "TopSecretPassword");
The first call requires that your X509Certificate2 variable (certMyCert in this case) refer to a certificate that is already installed in your computer's Certificate Manager (certmgr.msc), so its private key can be found, while the second allows you to specify a PFX file from disk.
Related
I have a server with a custom certificate on it issued by my own personal certificate authority. It's not on a public domain so it's not possible to use a standard certificate authority. I want to get an Android client to connect to this server using OkHttp. According to the docs, the code should look like this:
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add("myserver.com", "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=")
.build();
Where the SHA256 hash is, quoting the docs: "a hash of a certificate’s Subject Public Key Info, base64-encoded and prefixed with either sha256/ or sha1/". I have the cert and the key files for the server, but how can I get the required hash?
I'm using OkHttp 3.
Try making a request to your server with the configuration above to see how that fails. The exception should tell you which pins were found.
You must do certificate pinning in coordination with your server team! Otherwise a change they make will prevent your client from being able to reach the server.
I'm trying to record a test, but when I install my certificate by Jmeter in the chrome, when I access the site that I want to record, chrome return me this:
But my certificate that I installed before access the site is 100% valid:
Other points:
I already made the Jmeter HTTPS proxy route configuration;
I already made the Windows/Browser proxy route configuration;
I installed the certificate correctly.
I don't know why my browser is not looking for the valid certificate and even without any certificate installed, still looks to this invalid certificate
If this is blocking you please install the certificate on Firefox and proceed with recording after setting the proxy.
Open Firefox
Type about:prefrences in the address bar
Search for certificates in search box
Click on View Certificate button
Select Authorities tab
Click on Import button
Select the certificate from your JMeter/bin folder
Check the first option in the popup (Trust CA to identify the websites)
Click OK
Chrome warns you because JMeter's certificate is self-signed and it cannot be validated against trusted CA
The options are in:
Ignore this error, the options are in:
Click "Proceed to unsafe" (if it's available)
Launch Chrome with --ignore-certificate-errors command-line argument:
type badidea anywhere at the page
Add JMeter's self-signed certificate to Windows Trusted Root Certification Authorities:
Mac OSX instructions for this were nowhere to be found.
On a Mac, just import "the root cert" from the Jmeter bin directory and into your "Keychain Access" tool. If you have to, you can use a tool called "Keystore Explorer" to convert the .crt file to a .cer before you do that import.
Then, you have to mark the cert trusted like this:
I added self signed certificate in .pem format in Firefox under Authorities tab. When I access site, Firefox throws error
mozilla_pkix_error_ca_cert_used_as_end_entity
It says that the certificate is not trusted because it is self signed. What can be issue?
If you add the certificate as authority then it should be used as authority, i.e. for signing other certificates. If you instead use it as a server certificate (i.e. as end entity and not authority) then it should not be added as authority to firefox but instead as server certificate. This will be automatically done if the certificate is not known and you click through the certificate error messages when connecting to your site and accept the sites certificate permanently.
You should also make sure that your certificates contains the necessary key purpose to be used as a server certificate.
I would like to ask when is the purpose of a certificate, like Server Authentication, Client Authentication, set for the certificate.
Is it when we generate the CSR or when it is signed by the CA?
The CSR is a Certificate Signing Request. If it is a PKCS#10 request (by far the most common type) it can indicate which extensions are requested and that can include the Extended Key Usage (aka purpose). But the CA ultimately decides what to include when it creates and signs the cert. It could choose not to issue a cert. It could issue a cert with a subset of the requested attributes. It could issue a cert that is completely different. It could issue a cert that is exactly what the CSR requested.
The Problem:
I am creating a vb6 application that will connect to a particular web service located on a a HTTPS site. The problem is, the HTTPS site I'm accessing requires all request to accept it's certificate policy. (as its a self-signed ssl certificate)
Basically I need the application to accept security certificate dialog boxes automatically. A sample security dialog is shown below:
Cheers in advance.
#EDIT:
I Cant' post an image yet as i am a new user... Please see the url below for a sample image:
http://oit.nd.edu/network/nomad/images/ie_certs.gif
Look for a property named Silent.
You will have to catch some other event, to reply to that dialog box. Although, I am not sure what is the behavior, if you set the Silent to true (i.e does it assume it to be Yes or otherwise?).
Most of HTTPS sites I know use self-signed certificates.
I don't know VB6 APIs for HTTPS, but for example in Java you should provide it a copy of the site certificate beforehand. That is:
export a copy of the certificate, for example from your browser certificate repository (in Firefox: Tools->Options->Advanced->Encryption->View Certificates etc.) - supposing you have have already visited the site with your browser;
detect which certificate repository your HTTPS API points to (there certainly is one)
import certificate into that repository
execute your program