This is a migrated thread and some comments may be shown as answers.

Validity period of generated certificates too long

3 Answers 1212 Views
Fiddler Classic
This is a migrated thread and some comments may be shown as answers.
This question is locked. New answers and comments are not allowed.
Jan
Top achievements
Rank 1
Jan asked on 06 Jan 2021, 12:47 PM

When I look at the HTTPS certificates generated by Fiddler these certificates have a validity period of more than 3 years. 

 

As more and more web browser do not accept certificates that have a validity of more than one year this leads to problems that valid certificates are rejected by the web browser just because the long validity. 

I already ran into this problem using Chrome for Android...

 

Is there an option to configure the default validity period of the generated certificates?

3 Answers, 1 is accepted

Sort by
0
Lini
Telerik team
answered on 07 Jan 2021, 07:27 AM

Hi,

By default, Fiddler generates site certificates that are valid for 3 or 11 years, starting 1 year before the current date - e.g. for a certificate created on Jan 6, 2021, its validity will be from Jan 6th, 2020 to either 2023 or 2031, depending on the certificate engine used. To modify the start/end dates you need to use the "MakeCert" engine and add a specific key in the Windows Registry with the options.

First, open the Fiddler options window and navigate to the "HTTPS" tab. There you will see which engine Fiddler is using for the certificates. Look for the text "Certificates generated by ...". Click the name of the engine if it is not set to "MakeCert" and set it. If you change this value, do not forget to restart Fiddler and regenerate your root certificate! Finally, close the Fiddler app.

Next, open the Windows Registry Editor, navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fiddler2 and create a new string value, called "MakeCertParamsEE". Set it to:

-pe -ss my -n "CN={0}{1}" -sky exchange -in {2} -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a {3} -m 13 -b {4} {5}

Note the "-m 13" parameter. This parameter sets the time period  in months (in this case 13 months or one year and one month) for the generated site certificates. You can change this value to one that suits you - e.g. 24 for two years. After you set the registry entry, open Fiddler and verify that newly generated certificates are using the period you set.

Finally, if you don't want the site certificates to be valid one year before today, you can modify the registry key value and replace the "-b {4}" parameter with the date you want as start. For example "-m 12 -b 12/12/2020" will make a certificate valid from 12/12/2020 to 12/11/2021.

Regards,
Lini
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

gordey
Top achievements
Rank 1
commented on 22 May 2021, 07:23 PM

After I followed your steps, i can no longer decrypt https even enabled. Help
Jan
Top achievements
Rank 1
commented on 23 May 2021, 10:14 AM

@gordey I would assume that the Fiddler root-CA certificate has changed, therefore you have to re-install it on your device. If you want to sniff traffic on Android make sure to install the Fiddler root cert as system certificate, otherwise it will be ignored by nearly all app (the Fiddler Android tutorial is heavily outdated and does only work with apps more than 3-4 years old)
Nick Iliev
Telerik team
commented on 31 May 2021, 08:02 AM

Hey Gordey and Jan,

 

You could try the alternative solution discussed in this forum thread. The specific solution steps are as follows:

- Open FIddler Classic and in the QuickExec box prefs show

- On your right side, you should see a new tab that lists Fiddler preferences. Find the preferences called fiddler.certmaker.bc.ee.yearsvalid and change its value to (for one year). This should change the validity for dynamically generated certificates from CertMaker to approximately one year starting seven days prior to the current day.

Alternatively, you could use the QucikExec box and directly set the value via the command as follows

prefs set fiddler.certmaker.bc.ee.yearsvalid 1

 
by 
Nick Iliev
 on 20 May 2021, 05:22 PM

 

Meanwhile, the team is working on proving a long-term solution so that the dynamically generated certificates will be created with the proper validity period.

0
Jan
Top achievements
Rank 1
answered on 08 Jan 2021, 09:59 AM

Thanks for your feedback.

 

I tried to configure Fiddler as you described, however using the recent Version of Fiddler Classic this seems to be impossible because the installation does not contain the `CertMaker.dll`. Thereforeswitching to "MakeCert" always fails:

10:51:57:5004 Assembly 'C:\Users\XYZ\AppData\Local\Programs\Fiddler\CertMaker.dll' was not found. Using default Certificate Generator.


I even deinstalled Fiddler, deleted all settings and made a fresh re-installation using the latest version form your website.

So if this file is required where to get it from? I wasn't able to find a trustworthy source for this dll on the internet.

1
Lini
Telerik team
answered on 12 Jan 2021, 08:55 AM

Hello,

CertMaker is another way to generate certificates - it is not installed out of the box with Fiddler Classic. This error should not matter if you select the MakeCert engine. If you decide to use the CertMaker engine anyway, you can get it from http://fiddler2.com/r/?fiddlercertmaker/. Download the extension and install it with Fiddler stopped. When you start Fiddler next time, the HTTPS options will be updated to use it (see attached screenshot). Note that you will need to reset your root certificate again after updating the certificate generating engine.

 

Regards,
Lini
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Tags
Fiddler Classic
Asked by
Jan
Top achievements
Rank 1
Answers by
Lini
Telerik team
Jan
Top achievements
Rank 1
Share this question
or