The CertEnroll Certificate Generator

Back in 2013, I wrote about the Certificate Generation logic in Fiddler, and the downloadable CertMaker add-on you can use to replace the default generator with an iOS-compatible generator.

The latest 2.4.9.9 builds of Fiddler include a new engine for certificate generation, based on the Windows CertEnroll APIs instead of the legacy MakeCert.exe engine. The primary benefit of the CertEnroll engine is it generates certificates that contain the SubjectKeyIdentifier and AuthorityKeyIdentifier extensions required for use with iOS clients. While you can still use the CertMaker add-on, it’s no longer required on Windows 7 and later.

You can configure Fiddler to use the CertEnroll engine when running on Windows 7+ by clicking on the Fiddler.DefaultCertificateProvider link inside the Tools > Fiddler Options > HTTPS tab:

In the dialog that appears, you can switch from the old MakeCert.exe engine to the CertEnroll engine:

After you restart Fiddler, you should find that Fiddler is now generating certificates using the new engine. If you encounter any problems, clear out any old certificates from Fiddler using the following procedure:

1. Uncheck the Decrypt HTTPS traffic checkbox
2. Click the Remove Interception Certificates checkbox
3. Accept any prompts to delete certificates from Windows’ certificate stores
4. Recheck the Decrypt HTTPS traffic checkbox
5. Accept any prompts to add certificates to Windows’ certificate stores

CertEnroll-generated certificates should work properly for iOS (after configuration) apps and Safari and nearly all other clients.

One known exception is Chrome for iOS which will show certificate errors no matter which certificate generator you use. That's because Chrome ignores iOS’s trusted certificate store; they use their own certificate validation logic for security purposes. If the site isn’t protected using HSTS or Certificate Pinning, you can generally “click through” Chrome’s certificate error warnings and capture its traffic.

Bring Your Own Certificate

If you're attempting to use Fiddler to debug your own website and you have access to the server’s original HTTPS Certificate and private key, you can configure Fiddler to use this certificate and private key instead of generating its own.

To do so, click Rules > Customize Rules, scroll to the Main function and add the following line:

    CertMaker.StoreCert("example.com", "C:\\temp\\cert.pfx", "TopSecretPassword");

Save the script and Fiddler will begin using the certificate you specified when decrypting traffic to the hostname you provided. Note that wildcarding is not supported, so you'll need to make multiple calls if your certificate supports multiple hostnames (e.g. both example.com and www.example.com).

The .pfx file contains both the certificate and private key, the latter is typically protected by a password which you must supply in your script.

If your certificate is instead located in the Windows Certificate store (see certmgr.msc), you can load it into an X509Certificate2 object and use it like so: