MITM certificate expired

Question

MITM certificate expired

Opened this issue 5 years ago · 6 comments

The PCAP Remote MITM certificate expired. I tried to de-install and re-install the app, but the installed certificate is always the same with expiry date 19 Aug 2020. I thought when I re-install the app it would automatically generate a new certificate.

I use PCAP Remote on a Samsung tablet with Lineage OS 14.1 (Android 7.1.2) and ADB root enabled. Then I connect to a ADB root shell and copy the certificate from the user certificate store to the system certificate store to allow the it be used for MITM. Please help me generating and installing a new certificate.

Here is the openssl output of cert.pem:

$ openssl x509 -in cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5c:bb:6c:c0:9e:b1:1a:ae:6c:1b:24:63:06:19:c1:67:c8:24:ca:e6
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = RU, ST = MITM, L = MITM, O = MITM, OU = MITM, CN = MITM, emailAddress = MITM
        Validity
            Not Before: Aug 20 16:31:38 2019 GMT
            Not After : Aug 19 16:31:38 2020 GMT
        Subject: C = RU, ST = MITM, L = MITM, O = MITM, OU = MITM, CN = MITM, emailAddress = MITM
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:db:15:4c:c9:65:f8:77:7b:3d:eb:5e:3c:bd:b7:
                    93:5f:cf:05:e9:ea:c2:a6:e8:fc:23:da:2e:a9:44:
                    92:c3:1b:ab:80:93:b8:63:f2:74:de:b8:d8:35:0b:
                    d7:da:bb:7d:d5:be:ae:0b:ee:ad:fe:04:c7:a8:b8:
                    f2:45:67:54:fa:0f:7e:a3:7f:68:e2:3f:45:4c:25:
                    94:5f:14:5a:cf:f2:82:54:9d:7d:c5:dc:90:6f:63:
                    99:cc:b8:a4:d7:ad:9c:83:ff:af:54:63:0d:4d:b8:
                    2d:20:1c:3f:11:f9:be:8c:16:e7:0d:37:f3:61:c2:
                    de:51:a7:2c:f2:84:d9:32:2d:1f:2d:92:78:1a:92:
                    8d:dd:f4:4a:8b:17:d0:c8:43:a7:3a:d3:c8:6a:fc:
                    dc:cc:0f:21:36:44:42:c5:89:27:ad:20:de:af:ab:
                    3e:f9:7d:ac:33:d0:c1:b1:49:32:26:99:f0:1d:b8:
                    67:2b:12:dc:fa:a2:8f:8f:41:23:0d:33:b0:34:e4:
                    64:cb:ec:54:e2:43:85:24:8d:46:cb:2e:fc:4f:22:
                    fc:63:57:75:8e:97:c1:8e:02:4f:62:65:35:f6:89:
                    45:a6:c7:0c:28:58:bf:74:9f:5f:08:cf:69:0c:2a:
                    54:be:d7:38:f7:ac:20:18:96:22:be:2f:1d:83:e3:
                    97:b5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                AF:3E:9B:A6:43:A9:50:64:94:72:AE:05:64:83:01:1B:9E:6A:EE:31
            X509v3 Authority Key Identifier: 
                keyid:AF:3E:9B:A6:43:A9:50:64:94:72:AE:05:64:83:01:1B:9E:6A:EE:31

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         5d:64:17:a3:8f:31:36:1b:6a:a2:f8:91:6e:20:77:7d:ad:a3:
         fc:a9:b7:47:b9:8f:1d:34:1d:a0:06:bc:ab:20:ad:6d:bc:23:
         b0:93:bd:b9:e1:90:33:0d:af:93:b9:18:1c:16:cf:08:e3:d8:
         85:11:97:7c:54:58:8d:aa:c6:7f:f4:d9:b0:c5:71:9c:dc:dc:
         76:e3:ee:70:d9:3b:81:8e:8c:be:c6:ee:f6:a1:ff:6a:74:9d:
         63:8a:d0:56:93:0e:bb:d8:7b:dd:47:f2:ae:ce:31:19:d0:6d:
         4c:0e:52:a3:5b:5f:dc:c9:7a:54:3f:de:af:3a:74:ee:5c:6f:
         7c:09:cf:01:c0:e8:ba:60:a0:e3:27:ba:1b:9f:5d:8e:ee:80:
         c8:fd:e3:87:46:da:89:4a:28:62:b0:d6:a5:07:22:5d:a0:53:
         d2:38:e9:38:21:96:3d:c6:3c:fa:b7:e7:39:81:d6:83:ed:d2:
         49:39:54:cf:c8:b6:50:b5:b6:4e:33:7d:3b:2f:c9:01:35:e0:
         be:ea:f9:05:7d:04:cb:e8:e3:34:07:8f:b5:c6:f3:ef:e9:6d:
         4e:84:c2:00:72:2c:79:f3:02:ab:bf:63:04:26:73:20:ed:75:
         43:3e:87:d0:e5:fa:29:77:2b:e9:9d:9c:03:26:d0:ad:f7:ef:
         ba:ce:ef:32

Answer 1 · 2020-09-11T16:31:21.000Z

Hello Alexander,

I will look at the issue tomorrow.

Answer 2 · 2021-03-17T16:41:32.000Z

Hello Andrey,

what is the current status of this issue?

Answer 3 · 2021-03-29T08:30:22.000Z

Hello @egorovandreyrm

Did you check on the issue? What is the current status of it?

Answer 4 · 2021-03-30T09:42:07.000Z

You can generate your own certificate by the following steps.

Define the constraints for your cert

This constraint is important. Without it, the Android system won't let you install your certificate.

touch constraints.txt
echo "basicConstraints=CA:true" > constraints.txt

Generate a private key

openssl genrsa -out private.key 2048

Generate a raw cert

openssl req -new -days 3650 -key private.key -out CA.pem

Set the constraints to your cert

openssl x509 -req -days 3650 -in CA.pem -signkey private.key -extfile ./constraints.txt -out CA.crt

Update the app assets

Copy over the content of CA.crt to app/src/main/assets/mitm_cert/cert.pem.
Copy over the content of private.key to app/src/main/assets/mitm_cert/key.pem.

Rebuild the app and everything should be working. Refer to this article for more information.

Answer 5 · 2021-04-09T16:41:41.000Z

You can generate your own certificate by the following steps.

Define the constraints for your cert

This constraint is important. Without it, the Android system won't let you install your certificate.
touch constraints.txt
echo "basicConstraints=CA:true" > constraints.txt
Generate a private key
openssl genrsa -out private.key 2048
Generate a raw cert
openssl req -new -days 3650 -key private.key -out CA.pem
Set the constraints to your cert
openssl x509 -req -days 3650 -in CA.pem -signkey private.key -extfile ./constraints.txt -out CA.crt
Update the app assets

Copy over the content of CA.crt to app/src/main/assets/mitm_cert/cert.pem.

Copy over the content of private.key to app/src/main/assets/mitm_cert/key.pem.

Rebuild the app and everything should be working. Refer to this article for more information.

If you are on Windows, You can use Keystore explorer to achieve the same. It is GUI based.

Answer 6 · 2021-12-01T12:40:10.000Z

Any updates?