Certificate

[Thoni A]

Hello All,

can you update the zap user group with this responce for following case?

https://groups.google.com/g/zaproxy-users/c/v-cI0U87feE/m/g1QfoFM9AAAJ

we are trying to use our internal certificate but zap is not accepting it. In the screenshot of certificate i want to change the comman name to our internal hostname. and issued by need to be changed to organization info.

If we want use a custom CA certificate, how can we use it for zap and enable it?

Can someone assist us in fixing this issue?

[Simon Bennetts]

I did reply, and my reply to you is the same.

We recommend using the one ZAP generates.

Its worth noting that ZAP needs a Root CA certificate. A standard CA certificate will not work.

Cheers,

Simon

[Thoni A]

Thank you for your reply,
I understood that we need to use the ZAP generated CA certificate for Https encryption.
I just wanted to check, is there any way that we can use our internal custom certificates for Https encryption for ZAP UI ?
If not, in future versions do you have any plans to add enhancements to use internal custom certificates for ZAP UI?

[Simon Bennetts]

Can you explain what you need in more detail please, including the reasons for your requirements?

You can already import an alternative Root CA certificate into ZAP.

Cheers,

Simon

[Thoni A]

Hey Simon,
our requirements:
we want to enable the https encryption for zap ui browser, in the browser certificate viewer of zap UI, we see our internal hostname but "Issued by" needs to be changed to our organization info. In our all other apps except zap the certificate viewer shows our organization info, so we're trying to enable same thing here.

 

work around:
from the commandline, we are loading the root CA certificate, using the cmd "/opt/zap/zap.sh -daemon -certload /etc/ssl/certs/zaproxy.pem -host dns.hostname.test.local -port 8081 -config api.key=ZAPROXY -config api.addrs.addr.name=.* -coig api.addrs.addr.regex=true"
cert is loaded as it shows in the log [ZAP-daemon] INFO  org.parosproxy.paros.CommandLine - Root CA certificate loaded from /etc/ssl/certs/zaproxy.pem
In the certificate viewer, we are not able to see our ogranization related issued info, instead it shows the ZAP organization related info in the "Issued" parts.

 

here is the zaproxy.pem file info:
#zaproxy.body
-----BEGIN CERTIFICATE-----
xxxxddwucbsh...

xxxx
dhehhe
-----END CERTIFICATE-----
#zaproxy.key
-----BEGIN PRIVATE KEY-----
xxxxjdieddns...

xxxx
nxjshcjsncdcn+g==
-----END PRIVATE KEY-----
#zaproxy.chain
-----BEGIN CERTIFICATE-----
xxxxxncjdcdj....

xxxx
dkwjddjwkdj=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
hdsjhdsnxcs....

xxxx
hsjhshcjscjsakhcaouhcjkabcjkdbvudiscjdbdsbbduvdusde=
-----END CERTIFICATE-----

 

not sure what is missing here. can you please guide us to fix this issue?

[Simon Bennetts]

OK, so your apps are checking the "Issued by" field in the certificates?

Is this the same value for all apps or do they differ?

We do not currently have a config option for this, but if its always the same info then I think it should not be too hard to add.

Cheers,

Simon

[Thoni A]

Thank you  Simon for your response,
yes, my apps are checking "issued By" in the certificate viewer and it is same for all apps.

 

my requirements is need to add my organization info in "Issued by" and need to remove the zap community info in "Issued to" checks.
below is an example of certificate viewer as per my requirements.
certificate viewer example:
Issued To
  Common Name (CN)  hostname.test.local
  Organization (O)  <Not Part Of Certificate>
  Organizational Unit (OU)  <Not Part Of Certificate>

 

Issued By
  Common Name (CN)  organization info certificate CA G4
  Organization (O)  ogranization name
  Organizational Unit (OU)  organization unit

[Simon Bennetts]

Could you raise a feature request for this?

https://github.com/zaproxy/zaproxy/issues

Many thanks,

Simon

[Thoni A]

sure, here is the feature request
https://github.com/zaproxy/zaproxy/issues/8849

If you don't mind asking, can you please let me know when this feature going to be available to use?
Thank you

[Simon Bennetts]

Many thanks!

When will it be available?

We have a FAQ for that: https://www.zaproxy.org/faq/how-do-i-get-a-specific-feature-implemented-in-zap/

Cheers,

Simon

[Thoni A]

I have created a conversation in ZAP Developer group.
here is the Conversation

https://groups.google.com/g/zaproxy-develop/c/wgsTib6yHBI/m/ozRQqLgvAAAJ