Standalone browsermob-proxy / MITM configuration

[Steven E]

I would like to use the browsermob-proxy with MITM support in standalone mode.

Is there a guide on how to create a new CA certificate / private key and add these files to the proxy ssl directory so the proxy with MITM support can be used in standalone mode.  When I create a self-signed CA certificate / key pair and replace the provided cert / key files, I get warnings about using a self signed certificate.   The example in the github documentation under the Trusted Root Certificates heading only shows a java example on how to trust a self signed certificate.  Does this mean usage of user signed certificates is not supported in standalone mode unless I modify the Java code and recompile?

Thank you for any support you can provide with this issue.  

Note:  I am willing to provide the steps I've taken to create my CA certificate, install them into the proxy, and how I'm testing / error messages if any of this would help. 

Steven

[Steven E]

I figured out a way to use my self-signed CA certificate / key pair with browsermob-proxy with MITM support in standalone mode.  Since the steps were not obvious (at least to me), I'll provide the complete steps.

Generate a new key:

openssl genrsa -out rootCA.key 2048

Create a self-signed certificate:

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem

Notes:  

• I used 3650 days (10 years) to match the certificate provided with the proxy server.
  
• It's going to ask for some meta information.  Be very generous / descriptive with your choice of words.  It will help you find your certificate should you install it in a browser.  Example.  The provided keys use information like "CN=LittleProxy MITM, O=LittleProxy RSA Impersonation CA"

Convert the .pem file to .p12

openssl pkcs12 -export -out ca-keystore-rsa.p12 -inkey rootCA.key -in rootCA.pem -certfile rootCA.pem -name key

Notes:  

• When it asks for a password, use "password".  The proxy server expects this file to be protected with this basic password.
  
• '-name key' -- this part of the statement inserts meta data (Bag Attributes -- friendlyName) used by the proxy to find the correct key.

Rename rootCA.pem to ca-certificate-rsa.cer so it matches what the proxy calls the file.

The new cert / key files need to be inserted into the proxy codebase in three places.  (I think it is only required in the file lib/browsermob-dist-2.1.2.jar, but since the files exist in three places, we should update all of them.)

Replace the cert / key files in /ssl-support directory

Replace the cert / key files in lib/browsermob-dist-2.1.2.jar

Replace the cert / key files in browsermob-core-2.1.2-sources.jar

Jar files are basically zip archives.  Use your favorite zip tool to change these files out.

Bounce the proxy servers to see your new keys.

To test:

curl --cacert ../local-certs/rootCA.pem --verbose --proxy localhost:8081 https://www.google.com/ --compress

Note:  You you'll need to point to your locally generate cert file.

I don't know if this is the best way, or the method the developers had intended us to use.  However, it was the only way I could find to use my self-signed certs in standalone mode.

Hope this helps.

Steven

[je...@outlook.com]

That's about right for the current standalone mode. The upcoming REST API refactor is going to include an easier way to install custom certificates and keys when using BMP.

[Viacheslav Gordiievskyi]

Hi there,

Sorry but I am looking for this better way with new refactored api. Is it already in place or Steven's steps still need to be used ?