134 lines
4.2 KiB
Markdown
134 lines
4.2 KiB
Markdown
# Certificate Configuration Guide
|
|
|
|
## 📋 Overview
|
|
|
|
This program now uses hardcoded certificate data and does not require external certificate files. You need to embed the certificate data into the source code.
|
|
|
|
## 🔧 Configuration Steps
|
|
|
|
### Step 0: Generate all files
|
|
|
|
```bash
|
|
# in WSL
|
|
openssl req -newkey rsa:2048 -nodes -keyout private.key -out request.csr
|
|
openssl x509 -req -days 3650 -in request.csr -signkey private.key -out certificate.crt
|
|
openssl pkcs12 -export -out certificate.p12 -inkey private.key -in certificate.crt
|
|
```
|
|
|
|
### Step 1: Prepare Certificate Files
|
|
|
|
Ensure you have the following files:
|
|
- `cert.p12` - PKCS#12 format certificate file (contains private key and certificate)
|
|
- `CA.crt` - CA root certificate file
|
|
|
|
### Step 2: Convert P12 Certificate to Base64
|
|
|
|
#### Windows System:
|
|
```cmd
|
|
certutil -encode cert.p12 cert_base64.txt
|
|
```
|
|
|
|
#### Linux/Mac System:
|
|
```bash
|
|
base64 cert.p12 > cert_base64.txt
|
|
```
|
|
|
|
### Step 3: Edit Source Code
|
|
|
|
Open the `cert_utils.go` file and find the following constants to replace:
|
|
|
|
#### 1. P12 Certificate Data
|
|
Copy the content of `cert_base64.txt` to the `hardcodedP12Data` constant:
|
|
|
|
```go
|
|
const (
|
|
hardcodedP12Data = `
|
|
MIIKYwIBAzCCCh8GCSqGSIb3DQEHAaCCChAEggmMIIIJiDCCBW8GCSqGSIb3DQEH
|
|
BqCCBWAwggVcAgEAMIIFVQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI7n7Q
|
|
... (your base64 certificate data)
|
|
`
|
|
```
|
|
|
|
#### 2. CA Certificate Data
|
|
Copy the complete PEM content of the `CA.crt` file to the `hardcodedCACert` constant:
|
|
|
|
```go
|
|
hardcodedCACert = `-----BEGIN CERTIFICATE-----
|
|
MIIDXTCCAkWgAwIBAgIJAKoK/OvD/h8wMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
|
|
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
|
|
... (your CA certificate data)
|
|
-----END CERTIFICATE-----`
|
|
```
|
|
|
|
#### 3. Certificate Password
|
|
Modify the certificate password:
|
|
|
|
```go
|
|
hardcodedP12Password = "your_actual_password"
|
|
```
|
|
|
|
### Step 4: Recompile
|
|
|
|
After configuration is complete, recompile the program:
|
|
|
|
```bash
|
|
go build -o mitm.exe .
|
|
```
|
|
|
|
## ✅ Verify Configuration
|
|
|
|
When starting the program, you should see:
|
|
- ✅ "CA certificate installed successfully" - indicates CA certificate is configured correctly
|
|
- ✅ No certificate-related error messages
|
|
|
|
If you see "Warning: No valid P12 certificate data provided, generating self-signed certificate for testing", it means the P12 certificate configuration has issues.
|
|
|
|
## 🔍 Feature Improvements
|
|
|
|
### HTTPS Traffic Decryption
|
|
The program can now:
|
|
1. **Transparent Proxy** - When TLS decryption fails, still proxy encrypted traffic
|
|
2. **Decryption Proxy** - Use your certificate to decrypt HTTPS traffic
|
|
3. **Dual Dump** - Save both encrypted and decrypted data
|
|
|
|
### Output File Format
|
|
- `timestamp_domain_request_encrypted.bin` - Encrypted request data
|
|
- `timestamp_domain_request_decrypted.bin` - Decrypted request data
|
|
- `timestamp_domain_response_encrypted.bin` - Encrypted response data
|
|
- `timestamp_domain_response_decrypted.bin` - Decrypted response data
|
|
|
|
### Complete Data Output
|
|
Console output now shows:
|
|
- Complete HTTP request/response data (no longer truncated)
|
|
- Complete HTTPS decrypted traffic content
|
|
- Data length information
|
|
|
|
## ⚠️ Security Considerations
|
|
|
|
1. **Source Code Security** - Certificate data is now embedded in source code, ensure source code security
|
|
2. **Password Protection** - Consider using environment variables or other methods to protect certificate passwords
|
|
3. **Certificate Validity** - Regularly check and update embedded certificates
|
|
4. **Access Control** - Restrict access to compiled programs
|
|
|
|
## 🐛 Troubleshooting
|
|
|
|
### Issue 1: Certificate Parsing Failed
|
|
**Cause**: Base64 data format error or incomplete
|
|
**Solution**: Check base64 conversion process, ensure data integrity
|
|
|
|
### Issue 2: TLS Handshake Failed
|
|
**Cause**: Certificate doesn't match domain or certificate has expired
|
|
**Solution**: Check certificate validity and domain configuration
|
|
|
|
### Issue 3: CA Certificate Installation Failed
|
|
**Cause**: CA certificate format error or insufficient permissions
|
|
**Solution**: Ensure running with administrator privileges, check CA certificate format
|
|
|
|
## 📞 Technical Support
|
|
|
|
If you encounter configuration issues:
|
|
1. Check certificate file format and validity
|
|
2. Verify base64 conversion results
|
|
3. Confirm running with administrator privileges
|
|
4. Check console error messages
|