I have an application which is making calls to twitter and I need to inspect the traffic so that I can learn more about oAuth.
When I double click the ssl traffic I get a yellow box which prompts me to go and change the options (by the way I am running my app through a proxy).
After having read about using a certificate on my machine which fiddler creates I have clicked the link to let fiddler install certificates on my machine by following these instructions...
http://docs.telerik.com/fiddler/configure-fiddler/tasks/configurefiddlerforwin8
However instead of this happening...
I get this error message...
"unable to configure windows to trust Fiddler Root certificate" here is a screen shot....
When I checked the logs as suggested (although is confusing as I thought the log was to do with each individual request), anyway I saw this...
I have even tried installing the certificate manually no no avail. Hope someone can help me get fiddler/ssl decryption working with windows 8! :-)
UPDATE : In response to Erics questions he made in the below answer...
Hi Eric thanks for replying.
1) A box popped up saying 'Certificate Trust' this is the box I have taken a screen shot of above. It was the box that told me to check the log.
2) I have an account and when I check my users it says I am an Administrator underneath my username.
3) I have tried to run Fiddler as an Administrator to no avail.
I also tried to drag and drop the certificate manually into the certmgr.msc tool and it comes up with a little round cursor with a line through it. Sounds like permissions but I just cant see why as I have full everything....
I finally found a way to workaround cases where group policy tries to limit who you can trust.
METHOD 1
Go into the fiddler HTTPS options and export the root cert to your
desktop.
Open up mmc.exe and add in the certificate widgets for
Local Computer
Import the fiddler certificate into the Third-Party
Root Certificate Store
Go ahead and use fiddler and see it generate new certs and watch your system trust them.
Method 2
Run afoul and bypass an intentional security control.
reg delete HKLM\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots /f
Go back into fiddler HTTP options, and toggle Decrypt HTTPS traffic off and on again. press okay to install the cert in the usual way
maybe run a gpupdate /force to get your setting back to the way your admins intended.
For insight, the problem group policy settings may look something like this:
If you have any Flags value in your registry under Local_Machine \ Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots, this lock-down is probably in effect.
#EricLaw - Are you up for maybe changing fiddler to try to import into the third-party store by default? It seems like the "third-party store" may be less subject to lockdown.
This is the best write-up of third-party-store i've seen: http://kreelbits.blogspot.com/2014/02/whats-purpose-of-users-third-party-root.html
I managed to solve a similar problem I was having (in windows 7) by following the instructions here: http://casualtechs.blogspot.com.au/2010/06/problem-when-trying-to-import.html (with the only difference being that we want to add the Fiddler certificate to "Trusted Root Certification Authorities -> Local Computer" instead of the "Trusted Publishers" that is mentioned on that site). My modified steps were:
Obtain the Fiddler root certificate from the "fiddler options" -> "Https" -> "Export root certificate to desktop" menu
Open the certificate (double click on it)
Click on the Install certificate button
Click the "Next" button
Select "Place all certificates in the following store"
Click the "Browse" button
Tick the "Show physical stores" checkbox
Expand the "Trusted Root Certification Authorities" folder
Click "Local Computer"
Click the "OK" button.
Click the "Next" button, then click the "Finish" button
Basically the bit I was missing when trying to import the Fiddler Root certificate was to drill down into the "Local Computer" folder underneath the "Trusted Root Certification Authorities" folder. You will have to make sure that the "Show physical stores" checkbox is ticked as shown below:
The error message in question indicates that your Per-User certificate store does not allow you to put certificates into it. Sometimes this happens if your Corporate Group Policy prevents end-users from trusting certificates. Sometimes it happens if your software configuration has been changed by 3rd party software (E.g. VPN or security clients). Sometimes it happens when there's a corrupt ACL somewhere.
Questions
What dialog box immediately preceded the error message on the Log
tab?
Are you an admin on the box?
If so, if you run Fiddler as Admin and try again does it succeed or fail?
Workarounds
If #3 doesn't work, click the Export root certificate to desktop button. Then launch certmgr.msc using Start > Run. Attempt to drag the certificate from your Desktop into the Trusted Root Certification Authorities folder. What, if any, error messages are shown?
When configuring Telerik's Fiddler to handle HTTPS, I could not get root certificate installed. The error was "Failed to find the root certificate in User Root List". I solved the problem by temporarily turning off WebRoot, my antivirus program, then reattempting to enable HTTPS handling which installs Fiddler's root certificate. You may have to click the Action button on the HTTPS tab to remove/reset previous certificates before being able to create a new certificate.
I reset my certificates by Tool > Options > HTTPs > Action > Reset all certificates but it doesn't work.
This is how I fixed my problem
Restart service CryptSvc.
Right click HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
Permission > Current Windows Users > Full Access
Delete Full Key HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
Restart Windows and that's it
Ref: https://www.addictivetips.com/windows-tips/fix-chrome-not-working-windows-10/
Related
I'm trying to create an MSIX installation for a small WPF desktop application. I don't need to publish to the store, just "sideloading".
I have a digital certificate, since MSIX requires one. I've installed the certificate on my machine, both for the Current User and the Local Machine.
When I click the "Choose Certificate" button, and then "select from store" the only certificate I see is the test certificate I created myself. I would expect to see "more options" or something like that which would allow me to choose whichever certificate I want.
When I click "Select from file", I get an error that says: "The manifest Designer could not import the certificate. The certificate you selected is not valid for signing because it is either expired or has another issue".
Initially, the "Issued To" value had a comma in it, which my research led me to believe would not work. So I had the certificate authority re-issue it without the comma. I got the same results.
Documentation is very sparse, but what I have seen indicates that I'm doing everything correctly. Any help would be appreciated.
Thanks,
Geoff Callaghan
I am new to the SSL stuff, and developing WebApi .net core 3.0 that will be consumed by react (both hosted on same webserver-IIS 10 on 443 port).
Can you tell be very clear and detailed steps to make it work
The DNS mapping is done and WebApi and react app both are hosted on IIS, but when API is being called from react it is giving error ERR_CERT_AUTHORITY_INVALID
Dev and Test server will not have an actual certificate, so what settings I should do (how should I
generate cert and add on IIS?)
I've followed some blogs/videos but, I am missing or doing something wrong.
If you want to create a self-signed certificate in iis you can try one the below way:
1)using GUI
open iis manager
Click on the server name in the Connections column on the left and Double-click on Server Certificates
Click on Create Self-Signed Certificate in the Actions Column on the right.
Type any meaningful name and then click OK to proceed
Click OK. Once that is complete you should now see the SSL in the list of Self-Signed certificates.
2)using command prompt
New-SelfSignedCertificate -DnsName www.domain.com -CertStoreLocation cert:Localmachine\My
You could also try to move the certificate to the trusted root by following below steps:
1)open mmc.exe as administrator.
2)In the MMC Console, in the top menu, click File > Add/Remove Snap-in….
3)In the Add or Remove Snap-ins windows, in the Available snap-ins: section, select Certificates and then click Add >.
4)In the Certificate snap-in window, select Computer account and then click Next.
5)In the Add or Remove Snap-ins window, you should now see the Certificates (Local Computer) snap-in.
6)Click OK
7)In the MMC Console, in the console tree, expand Certificates (Local Computer) > Personal, and select the Certificates folder.
8)In the center pane, select the certificate that you want to move.
9)Right-click on the certificate and click Copy.
10)now Expand Trust Root Certification Authorities, certificate folder.
11)right-click on the middle pane and paste certificate.
If you have a certificate already then you can import and set it at the trusted root store by following below article:
How to trust the IIS Express Self-Signed Certificate
I am having problems decrypting any SSL traffic (my Windows 10 PC) using (thelatest version of) Fiddler.
I have tried Eric's (created Fiddler) post on resetting certificates to no avail:
http://textslashplain.com/2015/10/30/reset-fiddlers-https-certificates/
I am seeing the following error in the logs on all SSL requests:
09:50:02:3744 fiddler.network.https> HTTPS handshake to www.fiddler2.com (for #1) failed. System.Security.Cryptography.CryptographicException Unspecified error
To try and isolate the issue I installed Charles and it is able to decrpyt SSL requests so I dont believe it is a system-wide / local network issue.
Any help much appreciated as Fiddler is such an excellent tool.
So I have now got Fiddler working again, these steps fixed my problem:
Remove Fiddler certificates (via the GUI, and manually check in Certificates mmc)
Uninstall Fiddler, including all settings data
Use a registry cleaner to clean up orphan / broken entries
Delete any remnant folder related to Fiddler
Download latest version of Fiddler
Install using all defaults (dont install to a custom location)
Set HTTPS Capture and Decrypt in Fiddler
I faced similar issue on mac with Fiddler. This was the first time I was using fiddler with mac.
The problem was the mac was not trusting the Fiddler
certificate.
To solve it I first of all, go to the Fiddler and then choose
Tools>Options>HTTPS
check Decrypt HTTPS Traffic
In the same dialog, then go to actions and click on export root certificate to the Desktop
click ok and close the fiddler.
Now the fiddler certificate has been downloaded on your desktop. In my case its name was FiddlerRoot.cer .
Double click on it and it will open in the keychain.
Select certificate option from left hand under category
You will find there is a certificate with name DO_NOT_TRUST_FiddlerRoot
Right click on the certificate and click on the Trust to make it expand. Here is how my dialog looks now.
In your case instead of Always trust, use system defaults would have been selected by default. Select Always trust.
Clear cookies and cache of your browser and then restart the browser.
Now if I start my fiddler it is able to decrypt the https website.
Issues were encountered After creating both a Development SSL Certificate, as well as a Production SSL Certificate. In case you're struggling with the procedure, I found this link to be quite helpful:
How to export certificate from Mac OS X to get pair of .cert and .key files ?
The screen shows instructions for creating a Certificate Signing Request (CSR). I Selected "Continue", then selected "Choose File..." and located the .certSigningRequest.
Selected "Generate". Once the certificate was ready, I selected "Done" and then downloaded the generated SSL certificate from the "iOS App ID Settings" screen.
Follow this link as it is pertaining to the bottleneck at hand:
https://www.parse.com/tutorials/ios-push-notifications
You must Double click on the downloaded SSL certificate to install it. Using Keychain Access, click right under "My Certificates", then you must find the certificate you just added.
Right-click on it, select "Export Apple Development IOS Push Services:...", and save it as a .p12 file. The problem is, I don't have the option to export to .p12 as it is grayed out.
How should I proceed?
Turns out all you have to do is select "My Certificates" on the left panel and it enables the .p12 option.
Open your Keychain Access and make sure your certificate is listed under login keychains (left side), then you should be able to see the export to a .p12 file option. If that does not work for you, possibly your certificate is created incorrectly. Try to generate another one.
2021 answer
What worked for me was to open KeyChain Access, under My Certificates tab, select both files, right clic, export 2 items, and the option was available.
I have registered for the Safari Development Program and have a valid Apple ID. I've followed all the steps given by Apple.
The problem is that Windows XP (Service Pack 2) does not recognize the command 'certreq', whereas the instructions said it would work on any Windows machine.
However, the command 'certreq' was working on Windows Vista on the machine of my co-worker's, I downloaded the certificate (the .cer file) and installed it and Safari detected it.
However, I don't have Windows Vista.
I installed Windows 7 now on my machine, the command 'certreq' works and I have the Safari Extension Certificate (the .cer file) but when I open Safari's Extension Builder, my certificate does not appear there.
I entered mmc in Start --> Run and checked if the certificate was installed there. It was in the 'Other People' but not in 'Personal'.
Even on Internet Explorer 7+, when I go to Tools --> Internet Options --> Content (Tab) --> Certificates, the certificate is not there in the Personal tab, (WHEREAS IT GOT INSTALLED IN THE PERSONAL FOLDER AUTOMATICALLY IN WINDOWS VISTA). I tried importing the certificate (the .cer file) into the Peronal folder, the import is successful but still neither does it appear in the personal folder nor does Safari recognize/detect it when I go to the Extension Builder.
ANY HELP?!
I need to make an extension for my office project and the deadline is approaching. I really need to get it done.
Thanks a million in anticipation.
I was facing the similar problem. After struggling a lot the following worked for me:
Install (Windows Server 2003 service pack 2) Administration Tools pack as shown on “Generate a Certificate Signing Request” screen shown by Safari Extension Certificate assistant: http://www.microsoft.com/download/en/confirmation.aspx?id=6315
Install IIS resource kit for SelfSSL- http://www.microsoft.com/download/en/confirmation.aspx?id=17275
As indicated by Safari Extension certificate assistant, save the following as certreq.txt --https://devimages.apple.com.edgekey.net/safari/files/certreq.txt
Run cmd, and then change directory to where you saved certreq.txt
On command prompt type: certreq –new certreq.txt newcsr.pem
Press Continue on the Safari Assistant screen, and upload this newcsr.pem
It will generate a certificate that you need to install by double-clicking on the installed file.
You are done!
Go to Develop (in Safari menu bar)>> Show Extension Builder >> Click + and select new extension.
By generating the cert request on another machine you don't have the private key associated with the cert on your own. Generate a cert request on your Win7 machine now, go get a new cert from Apple, and it should work fine.
To use the certificate on Windows, I needed to click on the file that was created (safari_identity.cer). That installed the certificate in the Windows Certificate store. Rrun certmgr.msc and look under the Personal..Certificates folder to see it. My installed cert looked something like this in the Microsoft Management Console for Certificates: "Safari Developer: (xxxxxxxxxxx) me#zzz.com".
this is an answer for Mac users who may be experiencing this problem.
Once you install your certificate, double click it, go under Trust, and set Always Trust for When using this certificate. Your certificate should work then.
It's got something to do with the private key - On me Vista it says CertReq: Request Created and it installs fine, but then on Windows 7 it just creates the file and when you look at the info before/after install it doesn't display that it is associated with the private key on the computer. Very confused I am.
when you enter something like "certmgr.msc" in the run command in window, you will get to see something like this:
So using the certificate consists of the following steps:
first save the file and run the command in cmdd.exe as directed in the developer certificate generator in extension certificate developer.
when you are done, check the certmgr [shown above in the image] and see a certificate named safari developer installed somewhere near Certificate Enrollment Requests. cut the certificate and paste one copy inside trusted root certification Authorities and another inside Personal.
then generate the csr file and install the file inside Personal folder and trusted root certification Authorities folder.
extension builder will recognize the certificate.
Best of luck.
If the certificate has an incomplete chain, it may be necessary to install the certificates on Apple's certificate page . I believe "Worldwide Developer Relations" (and possibly the 2 root certificates) are necessary for Safari Development.