certificate chain not trusted by Fiddler

Victor Khong

unread,

Jun 6, 2014, 2:10:41 PM6/6/14

to httpf...@googlegroups.com

Hi:

I am running Fiddler v4.4.8.3 64-bit, .NET 4.0 on Windows 7 Enterprise SP1 64-bit. Certificates are generated using CertMaker.dll. The "DO_NOT_TRUST_FiddlerRoot" root CA certificate is in place.

Fiddler is able to access and decrypt:

https://www.google.com/

https://www.paypal.com/home

https://www.bankofamerica.com/

https://www.emc.com/domains/rsa/index.htm

Fiddler cannot access or decrypt:

https://eus-eauth.ent.usda.gov/ (problem URL)

The certificate at the destination is a trusted chain on the Windows computer running Fiddler. When not running Fiddler, IE9 can access the problem URL and trust the certificate chain.

When running Fiddler with "Decrypt HTTP traffic" turned off, Fiddler can can access the problem URL. When "Decrypt HTTP traffic" is turned ON, Fiddler cannot access the problem URL and shows the error message:

HTTP/1.1 200 Connection Established

FiddlerGateway: Direct

StartTime: 12:15:30.579

Connection: close

fiddler.network.https> HTTPS handshake to eus-eauth.ent.usda.gov failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The certificate chain was issued by an authority that is not trusted

I believe that Fiddler relies on the current Windows user certificate store and does not have a separate certificate store, if the current user IE9 can access the problem URL, I am confused by the error "The certificate chain was issued by an authority that is not trusted".

I inspected the the certificate chain and it looks like this:

Root

Intermediate

Subject

I can fetch the certificate for the Intermediate, but there is no certificate for the root, as it is available b OCSP only. Could this be the issue?

[1]Authority Info Access

Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)

Alternative Name:

URL=http://ocsp.verisign.com

Respectfully,

Victor Khong

EricLaw

unread,

Jun 10, 2014, 11:15:00 AM6/10/14

to httpf...@googlegroups.com

Hi, Victor--

I'm not sure I understand the question. I have no problem loading the page https://www.eauth.usda.gov/ through Fiddler and the site appears to use a publicly-trusted certificate chain.

Have you by-chance reconfigured your Fiddler instance to use a ClientCertificate.cer file?

-Eric

Victor Khong

unread,

Jun 10, 2014, 1:57:47 PM6/10/14

to httpf...@googlegroups.com

Hi Eric:

My Fiddler instance is using a ClientCertificate.cer file.

--Victor

Victor Khong

unread,

Jun 10, 2014, 1:59:03 PM6/10/14

to httpf...@googlegroups.com

The ClientCertificate.cer is also trusted by the client running Fiddler.

EricLaw

unread,

Jun 11, 2014, 1:11:58 PM6/11/14

to

Just to be clear here-- if you remove the ClientCertificate.cer file, does the problem go away? And more directly, do you have reason to believe that this server trusts the clientcertificate's issuer?

Victor Khong

unread,

Mar 28, 2016, 9:29:51 AM3/28/16

to Fiddler

Eric:

You are correct. The server did not trust the client certificate. That was the cause of the error. Addiing the Fiddler certificate to the trusted store of the server resolved the problem. We were using Fiddler to troubleshoot an HTTPS session.

Thank you for the suggestion.

Sorry for the late reply. Just closing this thread for others who may be reading this thread,

--Victor

EricLaw

unread,

Mar 28, 2016, 10:59:45 PM3/28/16

to Fiddler

Thanks!

Reply all

Reply to author

Forward