7

I'm using the excellent Charles proxy to make web debugging easier. I'm using it's SSL proxying abilities, and have installed the generic CA Certificate that it comes bundled with. While this works, it's insecure because as long as my browser trusts this certificate, I am vulnerable to a MIM attack.

I'm trying to use OpenSSL to create a "Custom CA Certificate" since Charles allows to fix this. These are the steps I'm following:

NAME=daaku-ca
openssl genrsa -out $NAME.key 1024
openssl req -new -key $NAME.key -out $NAME.csr
openssl x509 -days 3650 -signkey $NAME.key -in $NAME.csr -req -out $NAME.crt
openssl pkcs12 -export -out $NAME.pfx -inkey $NAME.key -in $NAME.crt

Following these steps I end up with a Self signed root certificate $NAME.crt that I successfully imported into my Mac OS X keychain. And while the $NAME.pfx in Charles works and is being correctly used if I enter a password for it, it does not work if there's no password.

My question is how do I generate a certificate that works in Charles and does not need a password.

Charles
  • 50,943
  • 13
  • 104
  • 142
daaku
  • 2,797
  • 20
  • 20
  • Found some more information which likely explains it: http://rt.openssl.org/Ticket/Display.html?id=1497&user=guest&pass=guest -- still not sure how I can work around it. Maybe `keytool` can be used instead? – daaku Aug 20 '11 at 15:41

2 Answers2

7

I blogged about how to use a Custom SSL Certificate with Charles and in the last section I address the problem of having to type in the password every time Charles launches.

http://codeblog.shape.dk/blog/2014/01/06/custom-ssl-certificate-with-charles-web-proxy/

Peter
  • 1,495
  • 1
  • 14
  • 21
3

Since Charles 3.10 came out this is not an issue anymore since each installation generates its own certificate. So even if you trust the Charles-generated Certificate, you won't be susceptible to MIM attacks by other Charles users.

Per version 3.10 release notes:

Version 3.10 21 March 2015

Major new features, improvements and bug fixes.

SSL changes

SSL certificate root certificate change to generate a unique certificate for each installation of Charles (see SSL Proxying in the Help menu) SSL Proxying now has its own settings menu item in the Proxy menu Please note that these changes will affect the way you currently use Charles for SSL Proxying. You will need to install and trust a new certificate, which will be automatically generated for you. You can install that certificate on your computer using the options in the Help menu, under SSL Proxying. You can also export the certificate, to send to other systems, or browse to download the certificate to install on mobile devices such as iPhones.

fmello
  • 563
  • 2
  • 9