The first time __mitmproxy__ or __mitmdump__ is run, a set of certificate files for the mitmproxy Certificate Authority are created in the config directory (~/.mitmproxy by default). This CA is used for on-the-fly generation of dummy certificates for SSL interception. Since your browser won't trust the __mitmproxy__ CA out of the box (and rightly so), you will see an SSL cert warning every time you visit a new SSL domain through __mitmproxy__. When you're testing a single site through a browser, just accepting the bogus SSL cert manually is not too much trouble, but there are a many circumstances where you will want to configure your testing system or browser to trust the __mitmproxy__ CA as a signing root authority. CA and cert files ----------------- The files created by mitmproxy in the .mitmproxy directory are as follows:
mitmproxy-ca.pem | The private key and certificate in PEM format. |
mitmproxy-ca-cert.pem | The certificate in PEM format. Use this to distribute to most non-Windows platforms. |
mitmproxy-ca-cert.p12 | The certificate in PKCS12 format. For use on Windows. |
mitmproxy-ca-cert.cer | Same file as .pem, but with an extension expected by some Android devices. |
-----BEGIN PRIVATE KEY----- <private key> -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- <cert> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <intermediary cert (optional)> -----END CERTIFICATE-----For example, you can generate a certificate in this format using these instructions:
> openssl genrsa -out cert.key 8192 > openssl req -new -x509 -key cert.key -out cert.crt (Specify the mitm domain as Common Name, e.g. *.google.com) > cat cert.key cert.crt > cert.pem > mitmproxy --cert=cert.pemUsing a client side certificate ------------------------------------ You can use a client certificate by passing the --client-certs DIRECTORY option to mitmproxy. If you visit example.org, mitmproxy looks for a file named example.org.pem in the specified directory and uses this as the client cert. The certificate file needs to be in the PEM format and should contain both the unencrypted private key as well as the certificate. Using a custom certificate authority ------------------------------------ By default, mitmproxy will (generate and) use ~/.mitmproxy/mitmproxy-ca.pem as the default certificate authority to generate certificates for all domains for which no custom certificate is provided (see above). You can use your own certificate authority by passing the --confdir option to mitmproxy. mitmproxy will then look for mitmproxy-ca.pem in the specified directory. If no such file exists, it will be generated automatically. Installing the mitmproxy CA --------------------------- * [Firefox](@!urlTo("certinstall/firefox.html")!@) * [OSX](@!urlTo("certinstall/osx.html")!@) * [Windows 7](@!urlTo("certinstall/windows7.html")!@) * [iPhone/iPad](@!urlTo("certinstall/ios.html")!@) * [IOS Simulator](@!urlTo("certinstall/ios-simulator.html")!@) * [Android](@!urlTo("certinstall/android.html")!@)