I recently ran into an issue caused by a TLS proxy where my Kali Linux VM (running via Parallels on my Macbook Pro with OSX 10.11.6) was unable to make SSL connections because the TLS handshake was failing due to the invalid chain of trust. So I began to poke around to find and install the correct certs to fix SSL on my VM. I found three certs from a local CA in the OSX keychain, exported those in PEM format and dropped them into my Kali VM via SCP after enabling SSH. Copy/paste would have worked here too except I haven't finished installing the Parallels tools due to a dependency issue I'm still working on solving.
I had to convert the three PEM files into CRT format via openssl like this:
openssl x509 -in certificate.pem -inform PEM -out certificate.crt
Then I copied them to the /usr/local/share/ca-certificates/ folder and ran the "update-ca-certificates" command to import the certs. To test it out I ran an openssl s_client command to Wikipedia:
openssl s_client -showcerts -connect en.wikipedia.org:443
This command initiates a TLS connection and displays the certificates used. I discovered what appeared to be an intermediate cert for the TLS proxy so I copied that and pasted it into a new file, copied it to the ca-certificates folder and ran update-ca-certificates again. Now when I ran openssl showcerts it appeared to be working, but my browser was still encountering cert errors. I suspected that Firefox ESR uses it's own cert store so I went ahead and imported all four certs into Firefox too.
Success! :) |
No comments:
Post a Comment