Windows Store Apps, Certificate Trust, and SSL Man In The Middle

Question

Hello,

I work on an application that legitimately utilizes SSL/TLS Man In The Middle (MITM) in order to inspect secure traffic with user consent. Basically we install our Root CA into the Windows System store (again, per the users request) then MITM traffic via a WFP driver/service.

This works for applications such as Internet Explorer (including IE when in Windows Store / "Metro" mode). However, when using WinJS/HTML applications (e.g. applications hosted by WWAHost.exe) it appears that our root CA may be being ignored. During the handshake, after we send back the MITM'd server certificate, clients hang up. Browsing to the same URL the client is attempting to use with our MITM enabled in a browser works.

From what I have read, by default these applications should be validating CA's down to the system root store with the alternative being to use the Certificates Extension (embed CA/trust in the manifest). I have inspected the .xml manifests of some of the applications in question and do not see this extension being used, nor do I see any explicit "pinning" being used.

Any information regarding this is highly appreciated!

Answer 1

Hi Bryan,

You should be able to have the user install the certificate in the Machine Root CA store.  Note other certs in the chain if any have to also be installed and valid.

This is how you can use Fiddler successfully with Windows Store apps.

-Jeff

---

Jeff Sanders (MSFT)

Answer 2

Thank you Jeff, you pointed me in the right direction! The issue was that I had my certificates installed in the "User" portion of the system store and not the "Machine".

Bryan