mitm/certificate_guide.md

# Certificate Configuration Guide

## 📋 Overview

This program now uses hardcoded certificate data and does not require external certificate files. You need to embed the certificate data into the source code.

## 🔧 Configuration Steps

### Step 1: Prepare Certificate Files

Ensure you have the following files:
- `cert.p12` - PKCS#12 format certificate file (contains private key and certificate)
- `CA.crt` - CA root certificate file

### Step 2: Convert P12 Certificate to Base64

#### Windows System:
```cmd
certutil -encode cert.p12 cert_base64.txt
```

#### Linux/Mac System:
```bash
base64 cert.p12 > cert_base64.txt
```

### Step 3: Edit Source Code

Open the `cert_utils.go` file and find the following constants to replace:

#### 1. P12 Certificate Data
Copy the content of `cert_base64.txt` to the `hardcodedP12Data` constant:

```go
const (
    hardcodedP12Data = `
MIIKYwIBAzCCCh8GCSqGSIb3DQEHAaCCChAEggmMIIIJiDCCBW8GCSqGSIb3DQEH
BqCCBWAwggVcAgEAMIIFVQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI7n7Q
... (your base64 certificate data)
`
```

#### 2. CA Certificate Data
Copy the complete PEM content of the `CA.crt` file to the `hardcodedCACert` constant:

```go
hardcodedCACert = `-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKoK/OvD/h8wMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
... (your CA certificate data)
-----END CERTIFICATE-----`
```

#### 3. Certificate Password
Modify the certificate password:

```go
hardcodedP12Password = "your_actual_password"
```

### Step 4: Recompile

After configuration is complete, recompile the program:

```bash
go build -o mitm.exe .
```

## ✅ Verify Configuration

When starting the program, you should see:
- ✅ "CA certificate installed successfully" - indicates CA certificate is configured correctly
- ✅ No certificate-related error messages

If you see "Warning: No valid P12 certificate data provided, generating self-signed certificate for testing", it means the P12 certificate configuration has issues.

## 🔍 Feature Improvements

### HTTPS Traffic Decryption
The program can now:
1. **Transparent Proxy** - When TLS decryption fails, still proxy encrypted traffic
2. **Decryption Proxy** - Use your certificate to decrypt HTTPS traffic
3. **Dual Dump** - Save both encrypted and decrypted data

### Output File Format
- `timestamp_domain_request_encrypted.bin` - Encrypted request data
- `timestamp_domain_request_decrypted.bin` - Decrypted request data  
- `timestamp_domain_response_encrypted.bin` - Encrypted response data
- `timestamp_domain_response_decrypted.bin` - Decrypted response data

### Complete Data Output
Console output now shows:
- Complete HTTP request/response data (no longer truncated)
- Complete HTTPS decrypted traffic content
- Data length information

## ⚠️ Security Considerations

1. **Source Code Security** - Certificate data is now embedded in source code, ensure source code security
2. **Password Protection** - Consider using environment variables or other methods to protect certificate passwords
3. **Certificate Validity** - Regularly check and update embedded certificates
4. **Access Control** - Restrict access to compiled programs

## 🐛 Troubleshooting

### Issue 1: Certificate Parsing Failed
**Cause**: Base64 data format error or incomplete
**Solution**: Check base64 conversion process, ensure data integrity

### Issue 2: TLS Handshake Failed
**Cause**: Certificate doesn't match domain or certificate has expired
**Solution**: Check certificate validity and domain configuration

### Issue 3: CA Certificate Installation Failed
**Cause**: CA certificate format error or insufficient permissions
**Solution**: Ensure running with administrator privileges, check CA certificate format

## 📞 Technical Support

If you encounter configuration issues:
1. Check certificate file format and validity
2. Verify base64 conversion results
3. Confirm running with administrator privileges
4. Check console error messages