This is a migrated thread and some comments may be shown as answers.

Fiddler 4 Certificate err on Windows

1 Answer 1110 Views
Windows
This is a migrated thread and some comments may be shown as answers.
Sebastian
Top achievements
Rank 1
Sebastian asked on 08 Jan 2016, 08:08 AM

Hello,
I am using Fiddler to monitor HTTPS traffic for our private project. After upgrading to Windows 10 and installing Fiddler, I am unable to create a root certificate. I tried using Both CertEnroll and MakeCert and both returned that they cannot create a root certificate:

09:53:54:2275 Fiddler.CertMaker> [C:\Program Files (x86)\Fiddler2\MakeCert.exe -r -ss my -n "CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky signature -eku 1.3.6.1.5.5.7.3.1 -h 1 -cy authority -a sha256 -m 132 -b 01/07/2015 ] Returned Error: Creation of the interception certificate failed.

makecert.exe returned -1.

Results from C:\Program Files (x86)\Fiddler2\MakeCert.exe -r -ss my -n "CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky signature -eku 1.3.6.1.5.5.7.3.1 -h 1 -cy authority -a sha256 -m 132 -b 01/07/2015

Error: Can't create the key of the subject ('JoeSoft')
Failed

 


09:43:37:0332 /Fiddler.CertMaker> Invoking CertEnroll for Subject: CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com; Thread's ApartmentState: MTA
09:43:39:0853 !ERROR: Failed to generate Certificate using CertEnroll. System.Reflection.TargetInvocationException Exception has been thrown by the target of an invocation. < CertEnroll::CX509PrivateKey::Create: The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED)

Every time when changing the service I Reset All Certificates and/or Removed Interception Certificates. Also the key in AppData/Roaming/Microsoft/Crypt/RSA/{LONG_ID} is nowhere to be found (the folder is always empty).
After browsing through forums, I followed some instructions and downloaded the Bouncy Castle Certificate Maker (the one suggested for Android) and that one created 2 root certificates and added them to Windows so they will be trusted. After doing so, all my HTTPS traffic looked like HTTP with tunneling. When looking into that issue, I found that in Text view it said 

"This is a CONNECT tunnel, through which encrypted HTTPS traffic flows.
Fiddler's HTTPS Decryption feature is enabled, but this specific tunnel was configured not to be decrypted. Settings can be found inside Tools > Fiddler Options > HTTPS.
"

AND the logger returned a few of the following:

"10:02:38:5419 !Certificate cache didn't find certificate for [server.com]. Returning null to thread #30. ___ 10:02:38:5419 fiddler.https> Failed to obtain certificate for server.com due to Certificate Maker returned null when asked for a certificate for server.com"

AND

"Failed to create certificate for server.com: The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation."

In the properties of a tunneling connection, I found

"X-HTTPS-DECRYPTION-ERROR: Could not find or generate interception certificate."

 

Do you have any solutions for me? I'd really appreciate it. Thank you! :)

1 Answer, 1 is accepted

Sort by
0
Sebastian
Top achievements
Rank 1
answered on 11 Jan 2016, 09:27 AM

Hello guys,

well it seems that it was a Windows problem. My account in part of a domain and Windows Credentials Manager didn't know I had the administrator rights on the computer (even though Run as Administrator did work for other tasks) and didn't let me create any type of certificate. The fix is a .reg file with the following content:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
"ProtectionPolicy"=dword:00000001


Tags
Windows
Asked by
Sebastian
Top achievements
Rank 1
Answers by
Sebastian
Top achievements
Rank 1
Share this question
or