2

I am currently writing an HTTPS proxy using OpenSSL, but I cannot get Firefox or IE to accept my self-signed certificate as a CA. I have added the certificate to "Trusted Root Certification Authorities" in IE and "Authorities" in Firefox. I am testing on https://ssltest11.bbtest.net/ with the certificate found at Geotrust, but the same applies for other sites as far as I've seen. IE gives me the error:

The security certificate presented by this website was not issued by a trusted certificate authority. The security certificate presented by this website was issued for a different website's address.

Firefox:

https://ssltest11.bbtest.net/ Peer's Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: false

Certificate chain: -----BEGIN CERTIFICATE-----

Do I have to generate a certificate for each domain that the proxy connects to?

To clarify, I am generating the .pem certificate and key, then converting the certificate to .cer, which I use in Firefox and IE. The .pem certificate and key are used by the proxy.

Community
  • 1
  • 1
Æðelstan
  • 822
  • 12
  • 23
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. – jww Oct 22 '16 at 16:45
  • Proxy certificates are different than traditional end-entity certificates (the latter are gamed by MitM middleware boxes). Also see [RFC 3820, Proxy Certificate Profile](https://www.ietf.org/rfc/rfc3820.txt). You should probably also visit [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) – jww Oct 22 '16 at 16:47

1 Answers1

2

If you want to do SSL interception you have to generate a CA certificate which you add as trusted to the browser/system and then dynamically generate leaf certificates signed by this trusted CA certificate. This means for each site you are doing SSL interception for (i.e. man in the middle attack) you need to create a certificate which matches the name as shown in the URL. Matching certificates can for example be created by extracting common name and subject alternative names from the original certificate and creating a new certificate based on these information, signed by your man in the middle CA.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • I didn't quite understand, what would be the minimum information needed for the new certificate? – Æðelstan Oct 21 '16 at 20:01
  • @Æðelstan: the minimum information would be a subject matching domain in the URL (common name or subject alternative name, preferred the last one) and that the certificate is signed by the interception CA. – Steffen Ullrich Oct 21 '16 at 20:03
  • I see, and what is the subject alternative name? – Æðelstan Oct 21 '16 at 20:04
  • So, the name of the new certificate can be anything, but then the subject alternative names must contain the original domain? – Æðelstan Oct 21 '16 at 20:08
  • @Æðelstan: use of subject alternative name is preferred to use of common name. but browsers accept if only a common name and no subject alternative name is given. If both are given common name might be ignored, depending on the browser. To be on the save side you might put the name in both parts. – Steffen Ullrich Oct 21 '16 at 20:23
  • 1
    Proxy certificates are a real thing, and they are different than end-entity certificates gamed by MitM middleware boxes. Also see [RFC 3820, Proxy Certificate Profile](https://www.ietf.org/rfc/rfc3820.txt). – jww Oct 22 '16 at 16:51
  • 1
    @jww: The phrase "proxy certificate" can have multitude meanings and RFC 3820 just describes one of them (i.e. certificate used *as* proxy). But the phrase is also commonly used by the certificate *created by* the proxy (as in this question) or the certificate *of* the proxy (for proxies accessed with TLS). Confusing, but it's actually common in human language that the true meaning of a phrase shows only by looking at the context. – Steffen Ullrich Oct 22 '16 at 17:01