8. March 2010 13:22
After changing our domain at work, Fiddler was not able to intercept any more SSL traffic. When accessing the local development box via SSL an error occured stating, that the certificate could not be created.
When intercepting SSL traffic, fiddler creates a self-signed root certificate and uses this one to issue certificates to the site you are navigating to. Since the root certificate is issued to the computer fiddler runs on, it makes a difference when that computer changes the domain. Fiddler uses the makecert.exe utility from the windows sdk to generate it's certificates. Launching this one with the same arguments (I used Process Monitor to find the exact invocation) showed the following error:
Can't create the key of the subject ('JoeSoft')
It seems we were not the first one experiencing the problem. Some articles suggested to delete specific files from the crypto storage, however all this did not help me. In the end I found this article that suggested that the root cause of the problem is a lack of permission and that manually importing the certificate would do the job, so I created the self signed certificate in another location and then manually imported. These are the exact steps:
- Remove all Certificates signed by the fiddler root and the fiddler
root itself from your current user's certificate store using the mmc
- Open a command prompt and navigate to the fiddler directory (e.g.
c:\program files\fiddler2), execute the following commandline:
MakeCert.exe -ss my -n "CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST,
OU=Created by http://www.fiddler2.com" -eku 22.214.171.124.126.96.36.199.1 -r -cy
authority -a sha1 -sr LocalMachine
- This creates a root certificate for fiddler, however in a
different location than fiddler would to it.
- Open your mmc certificate snapin, connect to your Local Computer
and navigate to Personal -> Certificates.
- Export the DO_NOT_TRUST_FiddlerRoot certificate to disk (that is
the certficate you created two steps before), use Pcks#7 as a format.
- Open the mmc certificate snapin for the current user and import
the exported certificate to Personal -> Certificates and Trusted Root
Certification Authorities -> Certficates.
- Restart fiddler
The interesting question here is, what changed the permissions since I originally installed fiddler and everything worked for over a year. Perhaps something changed during the migration process, perhaps even before. Who knows.