Browser Certificate Installation Guide
Version: 10.0 / Modifications: 0
Introduction
This manual describes how to install browser certificates for testing access and modifications to sites that are protected by HTTP Strict Transport Security (HSTS). It is assumed that the reader is familiar with the basic steps of deploying configurations within Composable Architecture Platform and knows how to view the console output associated with the Composable Architecture Platform proxy server.
When using the Composable Architecture Platform browser proxy for accessing secure web sites over HTTPS, you will encounter certificate warning in the browser, just like the following:
These warning are relatively easy to get around by clicking on the Advanced button and adding an exception.
However, with the advent of HTTP Strict Transport Security (HSTS) this has now become impossible to do as the browser will refuse to add the exception:
The following guide provides instructions on how to overcome this problem by installing a trusted certificate authority into your browser that Composable Architecture Platform in turn will use to generate valid replacement certificates for each SSL site on the fly.
Getting started
Before you begin you should make some updates to your Composable Architecture Platform installation.
Required Updates
The first step is to update/install the following components via the update server:
Composable Architecture Platform console (10.0.0:21050 or later)Base Rules (2021-07-16 or later)BIP Runtime (2018-08-07 or later)HTTP Rules (2021-07-15 or later)
Locating the certificate
After the BIP Runtime extension has been installed, locate the folder named ‘Certificates’ under the Composable Architecture Platform Server installation:
Our certificate is found in that folder with the name: root.pem
Installing the certificate in Firefox
To install the certificate authority in Firefox, start by selecting Options from the main menu:
The select the Privacy & Security section and click View Certificates:
In the certificate manger, select the Authorities tab:
Click on Import… then open the**root.pem** file from the location described earlier (the Certificates folder).
You will be given the option to select the level of trust for the certificate. Select “Trust this CA to identify websites” and click on OK:
Click on OK again to close the certificate manager.
Routing Firefox through the Composable Architecture Platform browser proxy
To be able to see traffic flowing between Firefox and your target site, you must configure Firefox to use the proxy. Under the Options Advanced settings, select the Network tab and click on Settings.
Configure the proxy as shown and click on OK:
You can now close the Settings tab in Firefox.
The certificate is now installed, and you are ready to see traffic.
Installing the certificate in Chrome/Edge for Windows
Please note that by using the Chrome installation method, other browsers (such as the Microsoft Edge browser will be affected as well).
We will therefore only show the Chrome approach.
Important: To install the certificate, the user MUST have administrative privileges on the system.
In the Chrome browser, select Settings:
Scroll down the page that appears and click on Privacy and Security
Locate the HTTPS/SSL section and click Manage certificates…
In the dialog box that appears, navigate to the Trusted Root Certification Authorities tab and click on Import.
This takes you to the certificate import wizard:
Click on Next
Important: PEM files are not available as a default filter. To locate the file, select All Files (*.*):
Locate and select the root.pem file, then click on Open
The file name now appears in the Certificate Import Wizard and you can click on Next.
Select the certificate store as shown and click on Next:
You will be presented with a review page. Click on Finish.
A security warning appears. Make sure you click on Yes:
The certificate will be imported:
Close the certificates list:
Routing Chrome/Edge through the Composable Architecture Platform browser proxy
Please note that by using the Chrome installation method, other browsers (such as the Microsoft Edge browser will be affected as well). We will therefore only show the Chrome approach.
Within the Chrome advanced settings, locate Network and click on Change proxy settings…
In the internet properties that appears, click on LAN settings:
Set the proxy server as shown and click on OK:
Then click OK again to close the internet properties and close the Settings tab in Chrome. The certificate is now installed and you are ready to see traffic.
Installing the certificate into the OSX Key Chain for Safari and Chrome
Please note that both Safari and Chrome use the same certificate store so this installation applies to both.
To install the certificate, navigate to the Certificates folder and double-click on the root.pem file. The Keychain Access utility will launch and requires you to enter your Admin User credentials:
Enter your password and click on Modify Keychain
This will launch the Keychain Access utility with the certificate imported into the System keychain:
Double-Click on the TomorrowX CA certificate to bring up the details:
Expand the Trust option and set the drop-down ‘When using this certificate’ to Always Trust:
Close the pop-up details window and enter your administrator password to update. The entry will now have a blue circle with a white cross to indicate a trusted certificate and will have the following text: “This certificate is marked as trusted for all users”:
Testing the certificate installation
Now that your certificate is installed, switch to the Composable Architecture Platform console, select the Product Trial repository and deploy the BasicWebLister configuration to the proxy server.
Wait for the proxy server to start.
You are now ready to test if you can bypass HTTP Strict Transport Security (HSTS) protection. In your browser go to https://www.google.com
Google should load as normal:
And you should see traffic in the proxy console:
Last updated
