Is it possible to export the fiddler root cert so other users can use it?.
I'm wanting to distribute a vagrant/docker image for my team. We basically need to use fiddler to make SSL work (making the guest vm trust fiddlers cert and then routing everything through fiddler on the host).
I'd like to have the vagrantmachine trust fiddler by trusting a root CA we share. So the vm would trust this CA and not need to be configured everytime.
Is there a way to export fiddlers root CA (private key) and install this on another machine?.
You can export Fiddler's certificate by clicking the "Export Root Certificate to Desktop" button on the tab where you enabled HTTPS (Tools > Fiddler Options > HTTPS).
Alternatively, you can simply visit http://fiddlerPC:8888/ from the other clients and a link on that page offers the certificate for download.
.CER files do not contain the private key, and you do not need to distribute the private key to other machines for them to trust the certificate.
If you want to include the private key, you need to use mmc.exe with CertMgr.msc; right-click on the root, choose All Tasks > Export...
Note that having multiple different Fiddler root certificates on a single PC will confuse Windows; use CertMgr.msc or Fiddler's "Remove Interception Certificates" button to remove any old roots before installing the new one.
I found this on happen-stance while searching.
Open Fiddler's Options.
Turn on Decrypt SSL, THEN click the Actions button on the upper-right of that tabbed area. (Exporting is not available unless you have it checked)
Related
I'm new to jmeter, I'm facing an issue while trying to record on IE, after i enter URL and hit enter i get website’s security certificate error, when i try it without recording on JMETER it works fine. Can anyone please tell me how to over come this issue?
Steps followed:
I have launched jmeter using proxy or else i won't record anything,
Launched using: C:\apache-jmeter-2.13\apache-jmeter-2.13\bin>jmeter -H {myproxyadd} -P 8080 -u etc
LAN Settings:
Only use a proxy server for your LAN is checked and everything else is unchecked on LAN Settings.
Address: localhost port:8080
jmeter website’s security certificate.
This is expected. JMeter is using self-signed certificate in order to be able to record HTTPS traffic and Internet Explorer warns you that certificate is not "trusted". So you can ignore this warning, click Continue to this website (not recommended) and move on.
As per "Installing the JMeter CA certificate for HTTPS recording" chapter of HTTP(S) Test Script Recorder documentation.
As mentioned above, when run under Java 7, JMeter can generate certificates for each server. For this to work smoothly, the root CA signing certificate used by JMeter needs to be trusted by the browser. The first time that the recorder is started, it will generate the certificates if necessary. The root CA certificate is exported into a file with the name ApacheJMeterTemporaryRootCA in the current launch directory. When the certificates have been set up, JMeter will show a dialog with the current certificate details. At this point, the certificate can be imported into the browser, as per the instructions below.
Note that once the root CA certificate has been installed as a trusted CA, the browser will trust any certificates signed by it. Until such time as the certificate expires or the certificate is removed from the browser, it will not warn the user that the certificate is being relied upon. So anyone that can get hold of the keystore and password can use the certificate to generate certificates which will be accepted by any browsers that trust the JMeter root CA certificate. For this reason, the password for the keystore and private keys are randomly generated and a short validity period used. The passwords are stored in the local preferences area. Please ensure that only trusted users have access to the host with the keystore.
Documentation also suggests installing certificate into browser to make this warning go away:
Browse to the JMeter launch directory, and click on the file ApacheJMeterTemporaryRootCA.crt, and open it
Click on the "Details" tab and check that the certificate details agree with the ones displayed by the JMeter Test Script Recorder
If OK, go back to the "General" tab, and click on "Install Certificate ..." and follow the Wizard prompts
By the way, you can use an alternative to JMeter's HTTP(S) Test Script recorder service. It makes recording process easier and also can export recorded requests in so called "SmartJMX" form - automatic correlation of dynamic parameters. See How to Cut Your JMeter Scripting Time by 80% article for more details.
Is there a way to choose the specific default client certificate for authentication on web-resources? In the prefs.js in firefox app data folder, there is a line:
security.default_personal_cert
I changed its value to:
Select Automatically
And now it is selecting the first certificate for site avaliable. I want basically to automatate this process (with imacros and few other tools). Is there a way i can set a SPECIFIC certificate as default client certificate? Maybe i have missed somethign else?
It is possible to implement this, but probably not very useful, and I do not believe it is implemented in Firefox.
Servers are usually configured with a specific CA certificate (or set thereof) to use for validating client certificates. The TLS Certificate Request message will usually advertise the Issuer Distinguished Names of these CA certificates in the certificate_authorities field, which the client will then use to select an appropriate certificate to supply in the Client Certificate message. In particular:
If the certificate_authorities list in the certificate request
message was non-empty, one of the certificates in the certificate
chain SHOULD be issued by one of the listed CAs.
An "always use this certificate" option would be useful only in the case where the server does not advertise which CA(s) it intends to use to validate client certificates (I have never seen this situation before). Normally, the Select Automatically heuristic will Do The Right Thing.
If you need an automated way to choose a particular certificate where you have multiple certificates for the same site, Firefox provides the option of multiple profiles. You can have a single certificate in each profile, which will be automatically chosen. It is inconvenient but I do not know of another way.
I have a certificate that has to be imported into Certificates/Trusted Root Certification Authorities and has a corresponding private key.
To actually access the key from code you need to set private key permissions to grant full access to particular IIS application pool. I totally understand that but the problem is that this can only be set on personal certificates and not trusted root ones.
I've tried adding the same certificate to Personal store and the following code doesn't break:
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
foreach (X509Certificate2 cert in store.Certificates)
{
if (cert.HasPrivateKey)
{
// access private key here
}
}
store.Close();
Setting permissions on certificate in personal store works if I change StoreName.Root to StoreName.My. I'm able to access it there. But I'm not able to access it in root. It just says:
Keyset does not exist
Any suggestions?
Additional information
If I set my application pools identity to Local System (which has total permissions over my machine) I can successfully access private key. So the main question is how do I set permissions on my application pool identity to have access to private keys for certificates in the Trusted Root store.
Why trusted root store and not personal?
I have a pre-built assembly that accesses this certificate in this particular store, so simply placing the certificate in Personal store won't do the trick for me. That's why setting trust permissions on private keys of trusted root certificates is imperative.
I haven't tried this with the Trusted Root Certification Authorities but what I have found is the simplest thing to do with other Certificate Stores is to drag and drop the certificate into the Personal Store and then set permissions and then drag and drop back to the original certificate store. In your case the Trusted Root Certification Authorities.
Steps using Certificates MMC:
Import certificate to the store you want it and mark keys as exportable. (You might be able to bypass this and import directly to the Personal Store, but I haven't tried.)
Drag and drop the imported cert to the Personal Store.
Right click the certificate in the Personal Store and in the context menu, click "All Tasks", then in the submenu click on "Manage Private Keys". Set the appropriate permissions according to your app pool as referenced in step 1.
After permissions have been set, drag and drop the certificate back to the original store (in your case the Trusted Root Certification Authorities).
Solution
It is possible to set trust permissions on certificates other than those in Personal certificate store, but you can't set permissions via MMC. At least not directly on the store that is. Accepted answer shows a simplified approach with moving certificates around to achieve the same result.
You have to do it this way...
Getting the tool
Get WF_WCF_Samples file from Microsoft. This is a self extracting archive, but you won't need to extract everything. So...
Open the file with any archiver tool and only extract FindPrivateKey solution/project
Open in Visual Studio and compile it.
Finding your private key
Open MMC and add Certificates snap-in. Make sure you select Computer and Local Machine when adding it.
Select the store that has your certificate with private key.
Open private key and copy its Thumbprint
Open command prompt and navigate to the folder where you compiled your FindPrivateKey tool
Enter this command
FindPrivateKey YourStoreName LocalMachine -t "ThumbprintWithSpaces" -a
ie.
FindPrivateKey Root LocalMachine -t "83 45 22 ..." -a
Copy file along with path (it will liekly span over two lines so copy to Notepad and concatenate)
Grant certificate trust
open command prompt and enter:
icacls "FullPathOfYourPrivateKey" /grant:r "UserFQDN":f
ie.
icacls "c:\ProgramData..." /grant:r "IIS AppPool\ASP.NET v4.0":f
Done.
This will grant certificate private key full trust to your user (in my case above it's application pool identity) so you can use the key to sign data or do whatever you need to do with it.
In case you don't want full permissions, you can easily change the last part after colon. It can have many different settings, so I urge you to check icacls command help.
If you are using Windows Server 2003, you'll notice that you don't get the Manage Private Keys task under your certificate.
If you install Microsoft WSE 2.0 on to your machine, you can use a tool called X509 Certificate Tool. Just search for your cert, its more than likely in (or should be) in Local Machine / Personal Store.
NOTE: if you have your cert in Current User / Personal Store (which often is the default), it will only be accessible to the user that is currently logged in, which means if you want your webserver to access it, it can't without changing permissions to your AppPool.
You should be able to change the permissions to the private key very easily, by default, your AppPool on your webserver will be using NETWORK SERVICE to run your web application. So just add NETWORK SERVICE to the security and by default it will set the Read and Read / Execute permissions which is sufficient for your BouncyCastle, etc, to read the private key so you can sign your document.
Hope this helps.
I am using some of the local machine's resources using COM interop functionality provided in Silverlight 4.0. Hence, naturally I need OOB with elevated permissions. However, in my case I am consuming the WCF services hosted on HTTPS channel. Here is where I am facing the problem. The OOB with elevated permissions applied, doesn't allow me consuming the HTTPS service hosted on either different or the same domain, giving me a NotFound exception. Please note that I have used the self-signed certificate for the development environment. The same is also installed in the Trusted Root folder of the client machine on which I am testing.
Interestingly, when I set the Fiddler options (in Fiddler session, Toos -> Fiddler Options -> HTTPS tab) to intercept the HTTPS traffic, with Decrypt HTTPS traffic checkbox set, I am able to use the same HTTPS service without any exception. But for that, I was told by Fiddler to store a temporary certificate inside my user profile's Fiddler directory, and I must have at least one Fiddler session at that time. Hence, it seems to be a certification issue. But does it relate in anyway to signing of the XAP file with the required certificate ? I am not sure. I tried with a self-signed certificate and bind my layer service URL to use that certificate. Then I install the same certificate to Trusted root folder of the client. But i was not successful in signing the XAP with that certificate.
Please let me know if you have any work-around.
If the code is running in a different user's context, you need to put your "Self-signed" certificate into the Machine Trusted Root store. Start mmc.exe. On the File menu, choose to Add a Snap-in. Add the Certificates snap-in. Pick Local Machine. Import the Self-signed root into the Trusted Root store.
I had the same problem and found out, that the SSL settings in IIS were wrong.
I configured IIS 7.5 to SSL only and to accept client certificates. With this settings, I ended up with the service not found error in OOB. After setting IIS to ignoring client certificates the OOB Application works fine.
I am having to set up a site with an additional need for security over what I would normally have for an SSL site. To handle this, I am establishing a private CA for the client. Once the import the CA I create as trusted, it will allow them to use the site without SSL errors popping up all the time.
The problem that I have, is that I need to setup the client's browser so that it will notify them if the server certificate changes (browsers won't do this, as long as the new certificate is from a trusted source.)
So, what I am wondering is if there is a browser out there, or a plugin for an existing browser that will allow this functionality.
The Certificate Patrol plugin for Firefox does this (it is active for all sites, not a specific one, but you could easily modify it to suit).