Fév 182019

Last article of a series of 4 articles.

This time, we will push it a bit further on the certificate side (using SAN field) as modern browsers like Chrome demand this field :

-divert dns traffic to a rogue local dns server : see here

-spoof a remote hostname with our local ip (using tool in step above) – these 2 steps could be skipped if you modify your local hosts file.

-setup a https server locally with a « self signed » certificate (see below)

First our root ca (dont forget to add in your ca store):
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Lets add it to our root certificate authorities : certutil -enterprise -f -v -addstore « root » rootCA.pem

Second our CSR:
modify our openssl.cnf accordingly : add subjectAltName=DNS:fakedomain.com,DNS:*.fakedomain.com under section v3_req
set the path to your your cnf file with set OPENSSL_CONF=c:\_apps\OpenSSL\ssl\openssl.cnf
generate your csr
openssl genrsa -out device.key 2048
openssl req -new -key device.key -out fakedomain.csr

About the CN, enter « fakedomain.com »

Last, our CRT (the trick is is to point at your cnf or else the SAN field will not be taken care of)
openssl x509 -req -in fakedomain.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out fakedomain.crt -days 500 -sha256 -extfile c:\_apps\openssl\ssl\openssl.cnf

And tada, launch your chrome browser and browse https://www.fakedomain.com/ and chrome will be happy.

Poster un Commentaire

1 Fils de commentaires
0 Réponses de fil
0 Abonnés
Commentaire avec le plus de réactions
Le plus populaire des commentaires
0 Auteurs du commentaire
Auteurs de commentaires récents

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.

plus récent plus ancien
Notifier de

[…] Step 1 : we will install Indy 10 in Lazarus Step 2 : we will code a lightweight http server Step 3 : we will generate a root certificate authority / use it to sign a certificate and turn our http server in https step 4 : we will see the difference between CN field (normally matching your web server) and SAN fie… […]