Friday, July 3, 2015

Homemade certificates for the web developers

Working with the web, you will definitely end up having to generate a trusted certificate at least for your localhost. In my case, I have been working with certificates a bit more and the need of a personal CA was obviously the best solution. Moreover, I wanted to modify Fiddler's CA name to avoid having the ugly "DO_NOT_TRUST_FiddlerRoot". This post describes how I automated the certificate generation process and also mitigated the Firefox's warning about the old SHA1 hashing.

Generating the required certificates with the use of visual studio is a three step process.
  1. Load visual studio command line tools in the command prompt: This is done doing a call "%VS120COMNTOOLS%..\..\vc\vcvarsall.bat" where VS120COMNTOOLS is an environment variable pointing to the path of the visual studio 2013 (aka vs120) tools.
  2. Generate a CA specifying the -cy authority attribute in the makecert tool. Also note that I am using sha256 and a key length of 2048 in order to address the phasing out warning firefox is flooding you with in the debug console.
  3. Generate the CN=localhost certificate. Note that you could use multiple CNs making a Subject Alternative Name (SAN) certificate using the , separator like “CN=localhost, CN=ubersite.eu, CN=*.locahost”.
Having these two certificates, you can add the public key of the CA in the machine’s trusted root certificate authorities and both the private and the public key in the machine’s My store in order to allow IIS to use it in its https binding. These tasks could be done manually (export cer and pfx files from User’s My store and import them in the corresponding locations using the mmc) but powershell comes to the rescue when you want to automate these tasks.

As a bonus, on this script I generate yet another intermediate CA that fiddler will use in order to intercept the https web traffic and replace the scary and ugly “DO_NOT_TRUST_FiddlerRoot”. First you need to generate the certificate. I gave it a friendlier name that will remind me that fiddler is intercepting the traffic and then setup the two registry keys required to change the default certificate for fiddler.
These keys are located in HKEY_CURRENT_USER\Software\Microsoft\Fiddler2 and the certificate fiddler is looking for uses the following name “CN={MakeCertRootCN}{MakeCertSubjectO}” which by default (if the keys are not found) has the value “CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com”.

Hope you enjoy the following batch file and happy web development :)

No comments: