fiddler2 unable to generate certificate

Question

I'm using Fiddler2 (or trying) to capture SSL traffic for a windows desktop gadget hitting an https web service. It used to work, and then it stopped a couple days ago, always with this error:

--------------------------- 
Unable to Generate Certificate 
--------------------------- 
Creation of the interception certificate failed. 
makecert.exe returned -1. 
Results from C:\Program Files\Fiddler2\MakeCert.exe -ss my -n 
"CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by 
http://www.fiddler2.com" -eku 1.3.6.1.5.5.7.3.1 -r -cy authority -a 
sha1 
Error: Can't create the key of the subject ('JoeSoft') 
Failed 
------------------------------------------- 

(I swiped the error from the google group for fiddler, although I just posted my own and it should be visible soon).

Has anyone else had this problem and solved it? Is Fiddler just broken?

Answer 1

cd to the installation folder "d:\Program Files\Fiddler" run the following command

makecert.exe -r -ss my -n "CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky signature -eku 1.3.6.1.5.5.7.3.1 -h 1 -cy authority -a sha1 -m 120 -b 09/05/2012

A certificate will be created and the problem will be solved

Answer 2

The simple fix for me was to install the Fiddler CertMaker

Answer 3

fiddler hardcoded command is out of date.

everyone stop deleting folder.

just install the fliddler plugin that claims to generates a "better cert that works with android". its on the official fiddler plugin list.

that plugin will fix it for you.

Answer 4

I had this exact error and was only able to solve it by:

1. Updating fiddlerCore
2. As @DemytroUa said 'In Tools->Options->HTTPS tab unchecked the "Capture HTTPS CONNECTSs" option. And clicking "Remove Interception Certificates" button at the bottom of the dialog'
3. Opening the cert manager (enter certmgr.msc in the run dialog - windows + r)
4. Navigate into Personal -> Certificates
5. Deleting All "DO_NOT_TRUST_FiddlerRoot" certificates
6. On Fiddler check "Decrypt HTTPS traffic in Tools->Fiddler Options->HTTPS tab

It is possible that you only have to update fiddlerCore (See this SO question for more details), but I listed everything I did to be totally safe.

Answer 5

I had the same issue on my Windows 8 box. Manually removing the key files per @Nicholas-Cloud didn't help me. So I kept trying different things and finally was able to sort this out.

To solve the certificate problem I did the following:

1. In Tools->Options->HTTPS tab unchecked the "Decrypt HTTPS traffic" option. This enabled the "Remove Interception Certificates" button at the bottom of the dialog
2. Clicked the "Remove Interception Certificates" button
3. Said "Yes" to all pop-up messages
4. Enabled the "Decrypt..." option back.
5. The series of pop-up messages will follow as described in Fiddler Windows 8 Configuration Steps

Note: if the above steps don't help you, try re-installing Fiddler and repeating the steps. I did re-installed it first, before getting to HTTP options.

Answer 6

You can identify the conflicting file by looking for "JoeSoft" in the content of the files from the C:\Users\\AppData\Roaming\Microsoft\Crypto\RSA\ path.

Answer 7

In Win7

• So go here: C:\Users\<username>\AppData\Roaming\Microsoft\Crypto\RSA\
• Select all the files (named with UUIDS).
• Move those files to your Desktop or other folder outside AppData dir.
• Launch Fiddler, go to Tools | Fiddler Options | Enable HTTPS decryption
• See that it works this time (hopefully).
• Move the files back from their temp location (i.e., Desktop),
  to their original one: C:\Users\<username>\AppData\Roaming\Microsoft\Crypto\RSA\
• When one of the files asks whether you want to replace the existing one, skip it.

Answer 8

If Fiddler certificate generation fails, the proper fix is to hand-pick the existing Fiddler2 private key and delete that. The above PowerShell code to completely destroy user's private key store is very bad idea. It will make every personal certificate useless.

Confirm the problem by running the same command Fiddler2 would run:

cd "C:\Program Files (x86)\Fiddler2"
makecert.exe -r -ss my -n "CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky signature -eku 1.3.6.1.5.5.7.3.1 -h 1 -cy authority -a sha1 -m 120 -b 09/05/2012

If the certificate generation fails, existing private key needs to be deleted. See http://poshcode.org/3637 for tool to find private key for a certificate.

Run it:

Get-PrivateKeyPath CN=DO_NOT_TRUST_FiddlerRoot

It will return something like c:\Users\JoeUser\AppData\Roaming\Microsoft\Crypto\RSA\7b90a71bfc56f2582e916a51aed6df9a_f6d54f4e-ff40-450e-9d77-7cfc383b357 Delete that file and attempt generating the certificate again. It should succeed. Do NOT destroy your entire private key store.

Answer 9

As an addition to Nicholas Cloud's reply, here's a little script that helps you rename that folder:

# Find my SID 
$user = New-Object System.Security.Principal.NTAccount([Environment]::UserName) $mySID = ($user.Translate([System.Security.Principal.SecurityIdentifier])).Value

# Rename keys folder with a timestamp
$timeStamp = Get-Date -format "ddMMyyhhmmss"
$folder = Join-Path -Path $env:USERPROFILE -ChildPath "appData\Roaming\Microsoft\Crypto\RSA\$mySID"
Rename-Item -Force $folder "$folder.$timeStamp"

Adding a comment to the Nicholas's reply did allow me to format the code so I ended up creating a separate reply.

Answer 10

I had the same error. This was certainly due to the presence of earlier versions of Fiddler and some incompatibility between them.

The above folder is used only by Fiddler where it stores the certificates that it creates (or at least for personal certificates on your box and Fiddler is certainly the only one using it). You may want to check if you have other personal certificates than Fiddler ones. In IE this is using Tools / internet options / content / certificates / personal.

Totally empty the folder and don't be afraid of the message about removing system files. Then in Fiddler, select again the options to capture then decrypt the HTTPS traffic. If required, re export the Fiddler root certificate on the desktop then re import it in IE and FF. Restart your browsers if required and enjoy.

I suppose instead of removing all that removing only in IE the private certificate issued to DO_NOT_TRUST_FIddlerRoot does the same but I have not tested this.

Remember to turn off the decrypt option as soon as you don't need it anymore.

Answer 11

Nicholas' answer is correct. In order to help others find this page too:

This may be helpful if you get the message "Unable to export Fiddler's Root Certificate" when you click the "Export Fiddler Root Certificate to Desktop" button in Fiddler, or call Fiddler.CertMaker.createRootCert() from code.

Answer 12

I and others have had this problem. It is a key directory that already exists in the key store with the same name as the key directory that Fiddler is trying to create (probably from a previous version of Fiddler).

The key directory on my machine is located in:

C:\Users\\[username]\AppData\Roaming\Microsoft\Crypto\RSA\\[folder-with-big-name]\

Note that the conflict was actually the key folder name. I just renamed the folder and then the key generation worked fine.

See this link for more information: https://groups.google.com/d/msg/httpfiddler/B-Mu6AxgiIc/LY69rWUBshMJ