Can I use an SSL certificate from a trusted CA on mitmproxy?

Question

Using mitmproxy with its own certificate and private key is fairly straightforward. It is also easy to make mitmproxy work with a self-signed certificate. But my question is about making it work with a certificate bought from a trusted CA.

Imagine I bought an SSL certificate and key pair from a known CA, like Digicert. When I buy it, I specify a domain name for which I intend to use that certificate, say johnshomepage.com.

Is it theoretically possible to configure mitmproxy to work with this certificate & key pair? If not, why?

Thanks in advance.

In which mode do you want to use mitmproxy? A single custom certificate (not an intermediate CA cert) would only make sense in reverse mode. — Robert, Oct 08 '20 at 07:02
@Robert: mitmproxy is smart enough to handle custom certificates in regular or transparent mode as well, see the documentation I linked in my answer. :) — Maximilian Hils, Oct 08 '20 at 10:56

score 1 · Answer 1 · answered Oct 08 '20 at 10:54

1

This is perfectly doable. You can use your own (leaf) certificate by passing the --cert [domain=]path_to_certificate option to mitmproxy.

More details are in the documentation: https://docs.mitmproxy.org/stable/concepts-certificates/#using-a-custom-server-certificate

answered Oct 08 '20 at 10:54

Maximilian Hils

6,309
3
27
46

Thank you for the response. I have been successful in doing this using my own self-signed certificate. However, when I tried to use a certificate obtained (bought) from a trusted CA, it did not work, I could see some requests going to the CA's server before initiating a TLS session.The https communication from the mitmproxy's client never happened. – John Butler Oct 12 '20 at 04:36

Can I use an SSL certificate from a trusted CA on mitmproxy?

1 Answers1