Failed to identify private key location for Root Certificate - CertEnroll and MakeCert failing

9 posts, 0 answers
  1. Philip
    Philip avatar
    7 posts
    Member since:
    Sep 2019

    Posted 05 Sep Link to this post

    I have Fiddler setup as a reverse proxy to capture request and responses from my app. While my app is working, it's not capturing any requests and response, and I'm getting these errors in my fiddler log. I tried CertEnroll and MakeCert but both throw different errors.

    I tried searching for this error and I read this article but I don't know what the issue is:
    https://www.telerik.com/blogs/faq---certificates-in-fiddler

    How can I fix these errors so Fiddler can capture my requests and responses in my app?

    -= Fiddler Event Log =-
    See http://fiddler2.com/r/?FiddlerLog for details.

    15:13:46:5212 Fiddler Running...
    15:13:46:5592 !WARNING Fiddler has detected that Chrome GPO specifies proxy configuration 'system'.
    15:13:54:5022 /Fiddler.CertMaker> Using Fiddler.DefaultCertificateProvider+CertEnrollEngine for certificate generation
    15:13:54:5252 /Fiddler.CertMaker> Failed to identify private key location for Root Certificate. Exception: System.NullReferenceException Object reference not set to an instance of an object.
    15:13:54:5272 /Fiddler.CertMaker> Invoking CertEnroll for arguments: CN=doesitmatter.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
    15:13:54:8502 !ERROR: Failed to generate Certificate using CertEnroll. System.Reflection.TargetInvocationException Exception has been thrown by the target of an invocation. < CertEnroll::CSignerCertificate::Initialize: The certificate does not have a property that references a private key. 0x8009200a (-2146885622)
    15:13:54:8502 /Fiddler.CertMaker> Failed to identify private key location for Root Certificate. Exception: System.NullReferenceException Object reference not set to an instance of an object.
    15:13:54:8502 !Fiddler.CertMaker> Tried to create cert for doesitmatter.com, but can't find it from thread 10!
    15:13:54:8512 fiddler.https> Failed to obtain certificate for doesitmatter.com due to Certificate Maker returned null when asked for a certificate for doesitmatter.com
    15:13:59:8712 /Fiddler.CertMaker> Invoking CertEnroll for arguments: CN=some-url.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
    15:13:59:8712 /Fiddler.CertMaker> Reusing PrivateKey for new certificate.
    15:13:59:8812 !ERROR: Failed to generate Certificate using CertEnroll. System.Reflection.TargetInvocationException Exception has been thrown by the target of an invocation. < CertEnroll::CSignerCertificate::Initialize: The certificate does not have a property that references a private key. 0x8009200a (-2146885622)
    15:13:59:8812 /Fiddler.CertMaker> Failed to identify private key location for Root Certificate. Exception: System.NullReferenceException Object reference not set to an instance of an object.
    15:13:59:8812 !Fiddler.CertMaker> Tried to create cert for some-url.com, but can't find it from thread 13!
    15:13:59:8812 fiddler.https> Failed to obtain certificate for some-url.com due to Certificate Maker returned null when asked for a certificate for some-url.com


    When I use makeCert:


    -= Fiddler Event Log =-
    See http://fiddler2.com/r/?FiddlerLog for details.

    17:27:43:2012 Fiddler Running...
    17:27:43:2322 !WARNING Fiddler has detected that Chrome GPO specifies proxy configuration 'system'.
    17:27:48:1422 /Fiddler.CertMaker> Using Fiddler.DefaultCertificateProvider+MakeCertEngine for certificate generation
    17:27:48:1652 /Fiddler.CertMaker> Failed to identify private key location for Root Certificate. Exception: System.NullReferenceException Object reference not set to an instance of an object.
    17:27:48:1682 /Fiddler.CertMaker> Invoking makecert.exe with arguments: -pe -ss my -n "CN=something.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha256 -m 132 -b 09/04/2018
    17:27:48:8222 /Fiddler.CertMaker>11-CreateCert(something.com) => (-1)
    Results from C:\Program Files (x86)\Fiddler2\MakeCert.exe -pe -ss my -n "CN=something.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha256 -m 132 -b 09/04/2018

    Error: Fail to acquire a security provider from the issuer's certificate
    Failed
    -------------------------------------------

    17:27:48:8222 Fiddler.CertMaker> [C:\Program Files (x86)\Fiddler2\MakeCert.exe -pe -ss my -n "CN=something.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha256 -m 132 -b 09/04/2018 ] Returned Error: Creation of the interception certificate failed.

    makecert.exe returned -1.

    Results from C:\Program Files (x86)\Fiddler2\MakeCert.exe -pe -ss my -n "CN=something.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha256 -m 132 -b 09/04/2018

    Error: Fail to acquire a security provider from the issuer's certificate
    Failed
    -------------------------------------------
  2. Philip
    Philip avatar
    7 posts
    Member since:
    Sep 2019

    Posted 05 Sep in reply to Philip Link to this post

    Fiddler v4.5.1.2
  3. Philip
    Philip avatar
    7 posts
    Member since:
    Sep 2019

    Posted 09 Sep Link to this post

    need help
  4. Eric R | Technical Support Engineer
    Admin
    Eric R | Technical Support Engineer avatar
    230 posts

    Posted 10 Sep Link to this post

    Hi Philip,

    It looks like the Certificate Common Name (CN) is incorrect. This is usually DO_NOT_TRUST_FiddlerRoot which I don't see where the doesitmatter.com is being set. I recommend resetting the configuration using the below steps.

    Step 1 - Go to, Tools -> Fiddler Options -> HTTPS

    Step 2 - Untick "Decrypt HTTPS"

    Step 3 - Click Remove Interception Certificates. (Accept All Prompts)

    Step 4 - Retick "Decrypt HTTPS"

    For setting up the reverse proxy, see the Use Fiddler as a Reverse Proxy documentation.

    Please give this a try and let me know the results. Thank you and I look forward to your reply.

    Regards,


    Eric R | Technical Support Engineer
    Progress Telerik

    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  5. Philip
    Philip avatar
    7 posts
    Member since:
    Sep 2019

    Posted 11 Sep in reply to Eric R | Technical Support Engineer Link to this post

    I did what you said and now my app isn't running at all. Giving this error:

    java.rmi.RemoteException: Error when invoking remote method: somesoapservice; nested exception is:
        java.lang.reflect.InvocationTargetException
    Caused by: javax.xml.ws.soap.SOAPFaultException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    Caused by: com.ibm.jsse2.util.h: KeyUsage does not allow digital signatures

    Can you update these instructions they weren't right for me. I had to create the DWORD string and give is the value of my port. It did not already exist.

  6. Philip
    Philip avatar
    7 posts
    Member since:
    Sep 2019

    Posted 11 Sep Link to this post

    I'm getting this error along with "KeyUsage does not allow digital signatures" error.

    CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN "CN=myservice.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" was sent from target host:port "127.0.0.1:8888".  The signer may need to be added to local trust store "C:/Program Files (x86)/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/MYNode01Cell/nodes/MYNode01/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml".  The extended error message from the SSL handshake exception is: "KeyUsage does not allow digital signatures".


    As you can see I've already added the fiddler and myservice.com cert to my trust.p12 that's shown in the above error. However I think it's looking for the cert Fiddler created for myservice.com. I don't know where that cert is or why I would need to add it.
    $ keytool -list -v -keystore  trust.p12
    Enter keystore password:  WebAS
    Keystore type: PKCS12
    Keystore provider: SUN

    Your keystore contains 2 entries

    Alias name: fiddlernew
    Creation date: Sep 11, 2019
    Entry type: trustedCertEntry

    Owner: CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
    Issuer: CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
    Serial number: 414c37d1e9259bb6431f9bd685b66439
    Valid from: Sun Sep 09 06:28:18 EDT 2018 until: Sun Sep 08 06:28:18 EDT 2024
    Certificate fingerprints:
             MD5:  23:46:FD:3B:30:16:9D:98:68:2A:8B:64:6C:32:CA:A7
             SHA1: 23:B0:43:DF:37:1A:C7:2E:BB:D4:47:A1:ED:24:86:9B:1F:CA:04:6A
             SHA256: EB:39:30:D0:31:41:3F:28:DE:2F:B2:1A:A7:87:E0:99:A7:D4:9D:EB:A2:24:65:B5:26:EA:38:3A:AD:43:66:43
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3

    Extensions:

    #1: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
      CA:true
      PathLen:0
    ]

    #2: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
      serverAuth
    ]

    #3: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
      Key_CertSign
      Crl_Sign
    ]

    #4: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 6B 59 E5 48 17 90 8D A8   69 20 C2 A3 9C 79 1E 9F  kY.H....i ...y..
    0010: 9E A9 7F 8D                                        ....
    ]
    ]



    *******************************************
    *******************************************


    Alias name: myservice
    Creation date: Sep 11, 2019
    Entry type: trustedCertEntry

    Owner: CN=myservice.com......the rest of my myservice.com ...

     

     

    I'm trying different ciphers now incase it's a cipher issue instead of a cert one. I was able to run my app and hit myservice.com fine, the request just werent showing in Fiddler. But now the requests don't complete.

  7. Philip
    Philip avatar
    7 posts
    Member since:
    Sep 2019

    Posted 11 Sep in reply to Philip Link to this post

    Fiddler Dev Log

    16:19:40:9857 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. on pipe to (CN=myservice.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)
    16:42:14:1337 !SecureClientPipeDirect failed: System.IO.IOException Unable to read data from the transport connection: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. < A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond on pipe to (CN=myservice.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)
  8. Philip
    Philip avatar
    7 posts
    Member since:
    Sep 2019

    Posted 11 Sep Link to this post

    I finally got it working. I had to disable all SSL_ECDHE_* and SSL_DHE_* ciphers in my WebSphere 8.5.0.0. Now it's using SSL_RSA_WITH_AES_128_GCM_SHA256 to connect successfully. I'm pretty sure this defect was the cause of my issue.
    http://www-01.ibm.com/support/docview.wss?uid=swg1PM68915

     

  9. Eric R | Technical Support Engineer
    Admin
    Eric R | Technical Support Engineer avatar
    230 posts

    Posted 12 Sep Link to this post

    Hi Philip,

    I am glad to hear this resolved your scenario. As always, if you have any additional questions please don't hesitate to create a new thread.

    Thank you for using the Fiddler Forums.

    Regards,


    Eric R | Technical Support Engineer
    Progress Telerik

    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top