CertMaker for iOS and Android not creating correct cert

1 Answer 1016 Views
Fiddler Classic Mobile
Taylor
Top achievements
Rank 1
Taylor asked on 19 May 2021, 10:32 PM
Hi,

We are using Fiddler Classic with the CertMaker for iOS and Android extension. We made sure to "Reset All Certificates" through Fiddler and double checked if there were any leftover in the certificate stores (user and machine).

After installing the certificate created by CertMaker for iOS and Android, we are getting errors on mobile saying the certificate is invalid. We checked the certificate, and it has a lifetime of 10 year, while in Fiddler, it says it has a lifetime of 2 years.

Screenshots attached. Is there a regression in the CertMaker for iOS and Android?

1 Answer, 1 is accepted

Sort by
1
Accepted
Nick Iliev
Telerik team
answered on 20 May 2021, 06:55 AM

Hello Taylor,

 

Newer mobile versions of browsers like Chrome will reject certificates with a longer validity period. The solution is to manually modify the validity of the generated certificate (no matter if you are using CertMaker to MakerCert). You can find a detailed description of the problem and solution to manually modify the validity of the generated certificate in the following forum thread:

https://www.telerik.com/forums/validity-period-of-generated-certificates-too-long

 

Regards,
Nick Iliev
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.https://www.telerik.com/forums/validity-period-of-generated-certificates-too-long

Taylor
Top achievements
Rank 1
commented on 20 May 2021, 06:59 AM | edited

Hi Nick, in the attached screenshots, you can see the extension says the validity is 2 years, while the actual certificate is 10 years. This seems like a bug and possible regression. We previously used this extension before, and the certificate created had a lifetime of 2 years like the extension shows (actually, I think it was at most 398 days since I found the old cert in the store when double checking). Do you mind telling me what the CertMaker for iOS and Android extension does, as it seems to not be doing this correctly anymore.
Nick Iliev
Telerik team
commented on 20 May 2021, 07:36 AM

The thing is that the newer mobile browsers are now supporting one year as a maximum validity period (see related threads like this one https://www.thesslstore.com/blog/google-chrome-to-join-apple-safari-in-one-year-certificate-validity/) while the default Fiddler configuration will create dynamical certificates with a validity of two years.  

The certificate you see with ten years validity is the root one and is not the one that is causing the issue. The problem on your side is that the dynamically created certificates for each different site are with 2-years validity instead of 1-year validity. So the solution is to change the Fiddler configuration as shown in this forum thread and change the registry key configuration to 12 months. After executing the steps, the Fiddler Classic will start to dynamically generate site certificates with one year validity period instead of two years.

 

Taylor
Top achievements
Rank 1
commented on 20 May 2021, 07:39 AM

Ah okay I see. Thanks for the clarification. I'll give that a try tomorrow and report back.
Taylor
Top achievements
Rank 1
commented on 20 May 2021, 12:06 PM

Hi Nick, the proposed way from that forum post you linked doesn't seem to work. From some quick reading online, MakeCert will not create certificates that are compatible with iOS and (some) Android devices (https://www.telerik.com/blogs/understanding-fiddler-certificate-generators). The blog is a bit old, but I was facing invalid CN errors when using MakeCert.

Can we configure the lifetime of the dynamic certificates generated by the "CertMaker for iOS and Android" extension? It seems counterintuitive that it makes them last 2 years rather than 1, as we've both seen that mobile browsers are limiting it to 1 year. The other forum post you linked only has instructions for MakeCert.
Nick Iliev
Telerik team
commented on 20 May 2021, 02:22 PM

Hey Taylor,

 

Indeed the suggested "hack" should be applicable only for MakeCert.

Could you try the following alternative solution:

- Open FIddler Classic and in the QuickExec box prefs show

- On your right side, you should see a new tab that lists Fiddler preferences. Find the preferences called fiddler.certmaker.bc.ee.yearsvalid and change its value to 1 (for one year). This should change the validity for dynamically generated certificates from CertMaker to approximately one year starting seven days prior to the current day.

Alternatively, you could use the QucikExec box and directly set the value via the command as follows

prefs set fiddler.certmaker.bc.ee.yearsvalid 1

Taylor
Top achievements
Rank 1
commented on 21 May 2021, 09:23 PM | edited

Hi Nick, I gave it a try and see the certs are being generated with 1 year, which is great. Unfortunately it's giving me ERR_CERT_AUTHORITY_INVALID. For a sanity check, I thought maybe my root CA wasn't working, so I reinstalled the root CA into the system store on Android (emulator with root ADB), made sure it was enabled, and rebooted, but no luck. Do you know what I might be missing?
Nick Iliev
Telerik team
commented on 25 May 2021, 07:56 AM

Could you also try to completely reset the Fiddler root certificates on the host machine (where the Fiddler proxy is being set - I guess that in your case, that would be the same PC that hosts the Android emulator).

Additionally, is the issue happening when using an actual device or the OS browsers? If possible, try to reproduce the issue on another emulator or real device to eliminate the possibility of dealing with a specific Android emulator issue with the trusted authorities.

Lastly, some browsers are having issues when the Fiddler root certificate is not in their Trusted Authorities store. Not sure which browses are causing the issue, but you could also check the OS certificate settings and check if the issue will be resolved by adding the Fiddler certificate in the authorities store.

Taylor
Top achievements
Rank 1
commented on 26 May 2021, 05:18 AM

Hey Nick, thanks for the help. I ended up just creating a new emulator, rerunning my script to install the certificate into the system store, and it's working now. Thanks again!
Tags
Fiddler Classic Mobile
Asked by
Taylor
Top achievements
Rank 1
Answers by
Nick Iliev
Telerik team
Share this question
or