Homemade certificates for the web developers

Working with the web, you will definitely end up having to generate a trusted certificate at least for your localhost. In my case, I have been working with certificates a bit more and the need of a personal CA was obviously the best solution. Moreover, I wanted to modify Fiddler's CA name to avoid having the ugly "DO_NOT_TRUST_FiddlerRoot". This post describes how I automated the certificate generation process and also mitigated the Firefox's warning about the old SHA1 hashing.

Generating the required certificates with the use of visual studio is a three step process.

1. Load visual studio command line tools in the command prompt: This is done doing a call "%VS120COMNTOOLS%..\..\vc\vcvarsall.bat" where VS120COMNTOOLS is an environment variable pointing to the path of the visual studio 2013 (aka vs120) tools.
2. Generate a CA specifying the -cy authority attribute in the makecert tool. Also note that I am using sha256 and a key length of 2048 in order to address the phasing out warning firefox is flooding you with in the debug console.
3. Generate the CN=localhost certificate. Note that you could use multiple CNs making a Subject Alternative Name (SAN) certificate using the , separator like “CN=localhost, CN=ubersite.eu, CN=*.locahost”.

Having these two certificates, you can add the public key of the CA in the machine’s trusted root certificate authorities and both the private and the public key in the machine’s My store in order to allow IIS to use it in its https binding. These tasks could be done manually (export cer and pfx files from User’s My store and import them in the corresponding locations using the mmc) but powershell comes to the rescue when you want to automate these tasks.

As a bonus, on this script I generate yet another intermediate CA that fiddler will use in order to intercept the https web traffic and replace the scary and ugly “DO_NOT_TRUST_FiddlerRoot”. First you need to generate the certificate. I gave it a friendlier name that will remind me that fiddler is intercepting the traffic and then setup the two registry keys required to change the default certificate for fiddler.
These keys are located in HKEY_CURRENT_USER\Software\Microsoft\Fiddler2 and the certificate fiddler is looking for uses the following name “CN={MakeCertRootCN}{MakeCertSubjectO}” which by default (if the keys are not found) has the value “CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com”.

Hope you enjoy the following batch file and happy web development :)

	@ECHO OFF
	@rem Check for visual studio tools if not already loaded
	if defined VCINSTALLDIR goto GenerateCerts
	@rem Ensure that visual studio is available
	if not defined VS120COMNTOOLS goto msbuild-not-found
	if not exist "%VS120COMNTOOLS%..\..\vc\vcvarsall.bat" goto msbuild-not-found
	call "%VS120COMNTOOLS%..\..\vc\vcvarsall.bat"
	@rem Check that vs is properly loaded
	if not defined VCINSTALLDIR goto msbuild-not-found
	:GenerateCerts
	@REM Generate a CA. Note the -cy authority for fiddler
	makecert -r -pe -n "CN=ca.localhost" -cy authority -a sha256 -len 2048 -e 10/25/2985 -ss my -sr CurrentUser -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
	@REM Generate localhost certificate
	makecert -pe -n "CN=localhost" -a sha256 -len 2048 -e 01/01/2982 -is my -ir CurrentUser -in "ca.localhost" -ss my -sr CurrentUser -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
	@REM Export certificates
	powershell -Command "&{get-childitem cert:\currentuser\my -dnsname ca.localhost | export-certificate -filepath ca.cer}"
	powershell -Command "&{$mypwd = ConvertTo-SecureString -String "aaaaaa" -Force -AsPlainText; get-childitem cert:\currentuser\my -dnsname localhost | export-pfxcertificate -filepath localhost.pfx -password $mypwd;}"
	@REM Import certificates
	powershell -Command "&{Import-Certificate -FilePath ca.cer -CertStoreLocation 'Cert:\LocalMachine\Root'}"
	powershell -Command "&{$mypwd = ConvertTo-SecureString -String "aaaaa" -Force -AsPlainText; Import-PfxCertificate -FilePath localhost.pfx Cert:\LocalMachine\My -Password $mypwd;}"
	@REM Generate fiddler certificate
	makecert -pe -n "CN=fiddler.intermediate" -a sha256 -len 2048 -e 01/01/2982 -is my -ir CurrentUser -in "ca.localhost" -ss my -sr CurrentUser -sky signature -eku 1.3.6.1.5.5.7.3.1 -cy authority -sy 1
	@REM set fiddler to work with new intermediate to be able to delete custom certs
	powershell -Command "&{Set-ItemProperty -Path HKCU:\Software\Microsoft\Fiddler2 -Name MakeCertRootCN -Value "fiddler.intermediate"; Set-ItemProperty -Path HKCU:\Software\Microsoft\Fiddler2 -Name MakeCertSubjectO -Value $([string]::Empty);}"
	@REM update fiddler's cert generation command to generate stronger certs for firefox (len 2048)
	powershell -Command "&{Set-ItemProperty -Path HKCU:\Software\Microsoft\Fiddler2 -Name MakeCertParamsEE -Value '-pe -ss my -n "CN={0}{1}" -sky exchange -len 2048 -in {2} -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a {3} -m 132 -b {4} {5}';}"
	@REM In order to see and export the newly created certificates
	@REM Run mmc.exe
	@REM File-> Add or Remove Snap-ins
	@REM Select Certificates from the left and then My User account (if above is CurrentUser)
	@REM They should be in the Personal->Certificates folder.
	pause
	exit /B 0
	:msbuild-not-found
	echo Visual studio tools were not found! Please check the VS120COMNTOOLS path variable
	exit /B 1

view raw GenerateStrongerKeysAndFixFiddler.bat hosted with ❤ by GitHub