Browser Certificate Installation Guide

Version: 10.0 / Modifications: 0

Introduction

This manual describes how to install browser certificates for testing access and modifications to sites that are protected by HTTP Strict Transport Security (HSTS). It is assumed that the reader is familiar with the basic steps of deploying configurations within Composable Agentic Platform and knows how to view the console output associated with the Composable Agentic Platform proxy server.

When using the Composable Agentic Platform browser proxy for accessing secure web sites over HTTPS, you will encounter certificate warning in the browser, just like the following:

Certificate warning

These warning are relatively easy to get around by clicking on the Advanced button and adding an exception.

However, with the advent of HTTP Strict Transport Security (HSTS) this has now become impossible to do as the browser will refuse to add the exception:

Not possible to add an exception for the certificate

The following guide provides instructions on how to overcome this problem by installing a trusted certificate authority into your browser that Composable Agentic Platform in turn will use to generate valid replacement certificates for each SSL site on the fly.

Getting started

Before you begin you should make some updates to your Composable Agentic Platform installation.

Required Updates

The first step is to update/install the following components via the update server:

  • Composable Agentic Platform console (10.0.0:21050 or later)

  • Base Rules (2021-07-16 or later)

  • BIP Runtime (2018-08-07 or later)

  • HTTP Rules (2021-07-15 or later)

Locating the certificate

After the BIP Runtime extension has been installed, locate the folder named ‘Certificates’ under the Composable Agentic Platform Server installation:

Certificates folder

Our certificate is found in that folder with the name: root.pem

Installing the certificate in Firefox

To install the certificate authority in Firefox, start by selecting Options from the main menu:

Firefox Settings

The select the Privacy & Security section and click View Certificates:

View Certificates in Privacy & Security tab

In the certificate manger, select the Authorities tab:

Authorities tab in Certificate Manager

Click on Import… then open the**root.pem** file from the location described earlier (the Certificates folder).

You will be given the option to select the level of trust for the certificate. Select “Trust this CA to identify websites” and click on OK:

Trust new Certificate Authority

Click on OK again to close the certificate manager.

Routing Firefox through the Composable Agentic Platform browser proxy

To be able to see traffic flowing between Firefox and your target site, you must configure Firefox to use the proxy. Under the Options Advanced settings, select the Network tab and click on Settings.

Browser Network Settings

Configure the proxy as shown and click on OK:

Connection Settings

You can now close the Settings tab in Firefox.

The certificate is now installed, and you are ready to see traffic.

Installing the certificate in Chrome/Edge for Windows

Please note that by using the Chrome installation method, other browsers (such as the Microsoft Edge browser will be affected as well).

We will therefore only show the Chrome approach.

Important: To install the certificate, the user MUST have administrative privileges on the system.

In the Chrome browser, select Settings:

Chrome Settings

Scroll down the page that appears and click on Privacy and Security

Locate the HTTPS/SSL section and click Manage certificates…

Manage Certificates

In the dialog box that appears, navigate to the Trusted Root Certification Authorities tab and click on Import.

Trusted Root Certification Authorities

This takes you to the certificate import wizard:

Certificate import wizard

Click on Next

Specify file for certificate

Important: PEM files are not available as a default filter. To locate the file, select All Files (*.*):

Select poot.pen file from certificates

Locate and select the root.pem file, then click on Open

The file name now appears in the Certificate Import Wizard and you can click on Next.

Select the certificate store as shown and click on Next:

Select certificate store

You will be presented with a review page. Click on Finish.

A security warning appears. Make sure you click on Yes:

Security Warning window

The certificate will be imported:

Successful message for certificate import

Close the certificates list:

Certificate list window

Routing Chrome/Edge through the Composable Agentic Platform browser proxy

Please note that by using the Chrome installation method, other browsers (such as the Microsoft Edge browser will be affected as well). We will therefore only show the Chrome approach.

Within the Chrome advanced settings, locate Network and click on Change proxy settings…

Change proxy settings

In the internet properties that appears, click on LAN settings:

LAN settings

Set the proxy server as shown and click on OK:

Proxy Server section

Then click OK again to close the internet properties and close the Settings tab in Chrome. The certificate is now installed and you are ready to see traffic.

Installing the certificate into the OSX Key Chain for Safari and Chrome

Please note that both Safari and Chrome use the same certificate store so this installation applies to both.

To install the certificate, navigate to the Certificates folder and double-click on the root.pem file. The Keychain Access utility will launch and requires you to enter your Admin User credentials:

Login windo for Keychain access

Enter your password and click on Modify Keychain

This will launch the Keychain Access utility with the certificate imported into the System keychain:

Keychain Access

Double-Click on the TomorrowX CA certificate to bring up the details:

TomorrowX CA Certificate details

Expand the Trust option and set the drop-down ‘When using this certificate’ to Always Trust:

Always trust for TomorrowX CA

Close the pop-up details window and enter your administrator password to update. The entry will now have a blue circle with a white cross to indicate a trusted certificate and will have the following text: “This certificate is marked as trusted for all users”:

TomorrowX CA marked as trusted for all users

Testing the certificate installation

Now that your certificate is installed, switch to the Composable Agentic Platform console, select the Product Trial repository and deploy the BasicWebLister configuration to the proxy server.

Wait for the proxy server to start.

You are now ready to test if you can bypass HTTP Strict Transport Security (HSTS) protection. In your browser go to https://www.google.com

Google should load as normal:

Chrome homepage

And you should see traffic in the proxy console:

Traffic in the proxy console

Last updated