SSL certificate configuration via CLI

[sharat87]

Description

1. Support for exporting the CA cert used by Proxyman with a proxyman-cli.
2. Support for adding a new cert to Proxyman's trust store with proxyman-cli.

Why this feature/change is important?

On 1, I often run Docker containers that I set the proxy environment variables to point to Proxyman. But I need a quick "automate-able" way to give the CA to the container for it to trust. So if there's a proxyman-cli export-ca that prints out the contents of the CA cert used by Proxyman as a .pem, that'd be perfect.

On 2, my application uses Kubernetes API on AWS EKS clusters. Authenticating there means that EKS responds with a custom CA cert that I need to trust to make further calls to the Kubernetes API endpoint. If I am to use Proxyman for this, I need to have Proxyman trust that CA, dynamically at runtime, so that Proxyman can talk to the Kubernetes API endpoint.

I'm achieving both of these with mitmproxy today, but I'd like to use Proxyman instead. The first is solved because mitmproxy's CA cert is just a file in ~/.mitmproxy so I can do as I wish. The second is solved by appending the cert dynamically to mitmproxy's certifi trust store dynamically, and refreshing mitmproxy's SSL context cache (via a custom add-on).

But with Proxyman, I don't think this is doable today. I'd really like to see these so I can move to Proxyman since this has better breakpoint and scripting functionality.

Thanks!

[NghiaTranUIT]

1. If you're using Proxyman 5.14.0, the root certificate is stored at ~/Library/Application Support/com.proxyman.NSProxy/app-data/proxyman-ca.pem, so you don't need to export it everytime.

Proxyman 5.13 or earlier, it's at ~/.proxyman/proxyman-ca.pem

2. Do you mean it's a custom Root Certificate? Use your own certificate instead of the Proxyman Root Cert.

[sharat87]

Thanks. I didn't know it's already saved as a file. I'll use that.

On 2, I think I wasn't clear. I'm not using any Proxyman root cert. It's a new custom root cert, that EKS API responds with, that I now need to trust. Here's an example of the flow:

1. I authenticate with AWS EKS.
2. EKS responds giving me a custom CA root cert, along with an API Token.
3. I need to trust that CA root cert.
4. Then hit that cluster's Kubernetes API, with that API token, and expect the TLS verification to happen with that custom CA root.

If I am to do this via Proxyman, I need Proxyman to trust that new custom CA cert, so my application can talk to Kubernetes. This CA cert is not known in advance for me to do anything with it. I only get it, after authenticating to EKS. Am I making sense? I can try to rephrase again if not. 🙂

[NghiaTranUIT]

yes, it makes sense. I'm not sure if you're aware that You can do it with GUI temporarily.

1. Proxyman -> Certificate menu -> Add Custom Certificate
2. In the Root Certificate Tab -> Import (Support PEM/DER or P12)
3. At this point, your custom cert doesn't trust in macOS Keychains yet. Let's open Keychain -> Search your custom Cert -> Open it -> Select Trust All -> Save
4. Back to Proxyman: A green tick ✅ will verify it.

---

For CLI, I will add this feature for you 👍

[NghiaTranUIT]

@sharat87 let's try this Beta build:

Changelog

• Install custom p12 root certificate to Proxyman
• Trust it in System Keychains (sudo required)

Help

/Applications/Proxyman.app/Contents/MacOS/proxyman-cli install-root-cert --help
OVERVIEW: Install a custom .p12 root certificate into Proxyman and Keychain Access if needed.

USAGE: proxyman-cli install-root-cert <path> [--password <password>] [--trust]

ARGUMENTS:
  <path>                  Path to the .p12 certificate file

OPTIONS:
  -p, --password <password>
                          Password for the .p12 certificate
  --trust                 Trust the certificate in System Keychain (requires sudo)
  --version               Show the version.
  -h, --help              Show help information.

Install and trust

/Applications/Proxyman.app/Contents/MacOS/proxyman-cli install-root-cert <certificate_path> --password <yourpassword> --trust

Install but not trust (you might need to trust it manually in the Keychain)

/Applications/Proxyman.app/Contents/MacOS/proxyman-cli install-root-cert <certificate_path> --password <yourpassword>

[sharat87]

@NghiaTranUIT, thanks for quick turnaround here. Confirming if I understand this right, if I don't add --trust, it won't be added to the system trust store, but Proxyman will still trust it, right?

[sharat87]

Sorry, two more questions.

1. I don't have a --password for the CA key, so I can omit that argument?
2. Can I set the <certificate_path> to - so that the command will read the cert key from stdin?

[NghiaTranUIT]

@NghiaTranUIT, thanks for quick turnaround here. Confirming if I understand this right, if I don't add --trust, it won't be added to the system trust store, but Proxyman will still trust it, right?

yes, but I recommend trusting it, otherwise you might get SSL Error.

Sorry, two more questions.

1. I don't have a --password for the CA key, so I can omit that argument?

yes, let's give it a try

3. Can I set the <certificate_path> to - so that the command will read the cert key from stdin?

No, this is not supported yet