CA.sh/README.md

# CA.sh

## Generate CA + wildcard cert for any hostname

`CA.sh` takes a domain name as input and outputs a directory named "CA", containing:

- a certificate authority (private key + cert + serial number file + a copy of the cert appropriately named for inclusion in the Android trust store);
- a CA-signed cert for the provided hostname;
  - if the hostname is a domain, then a wildcard cert is generated, matching `domain.tld` and `*.domain.tld`;
  - the hostname can also be an IP address.

Both the CA and the cert are valid for 30 days.

## Usage

```
./CA.sh example.org
```

## Optional dependencies

- `ipcalc-ng`, for detecting if the supplied hostname is an IP address.
- `idn`, for converting [IDNs](https://en.wikipedia.org/wiki/Internationalized_domain_name) to punycode.

## Adding the CA to the Android trust store

The reason I wrote this script was to intercept an Android app's TLS-encrypted traffic.  In order to do this, the CA cert must be added to the Android trust store.  Here's how:

In Android versions prior to 4, see http://wiki.cacert.org/FAQ/ImportRootCertAndroidPreICS

In Android versions 4, 5 and 6, you can simply copy the file to your phone and add it from the Android UI.

In Android 7+, in order for the CA to be trusted by all apps, you need to have a rooted phone.  Allow USB debugging, grant root access for ADB, connect the phone to a computer and run the following commands:

```
# restart ADB as root
adb root
# remount the /system partition as read+write
adb remount
# copy the CA file to the root store
adb push CA/android/*.0 /system/etc/security/cacerts/
```

Then you can spoof a domain's IP address by adding it to the Android system's hosts file:

```
adb shell 'echo "192.168.0.2 example.org" >> /system/etc/hosts'
```

To allow TLS interception on a non-rooted phone, you need to slightly modify the app you are snooping on, as described in:

- https://medium.com/androgoat/intercept-https-traffic-from-android-app-androgoat-part-2-60f7777b237d
- https://stackoverflow.com/a/22040887

If the app uses certificate pinning, you may need a program like [Apktool](https://ibotpeaches.github.io/Apktool/), [Frida](https://frida.re/docs/android/) or [baksmali](https://github.com/JesusFreke/smali).

Thanks to Soarez for his [OpenSSL CA guide](https://gist.github.com/Soarez/9688998)!
init 2021-08-28 10:27:55 +00:00			`# CA.sh`

			`## Generate CA + wildcard cert for any hostname`

			`CA.sh` takes a domain name as input and outputs a directory named "CA", containing:

			`- a certificate authority (private key + cert + serial number file + a copy of the cert appropriately named for inclusion in the Android trust store);`
			`- a CA-signed cert for the provided hostname;`
			- if the hostname is a domain, then a wildcard cert is generated, matching `domain.tld` and `*.domain.tld`;
			`- the hostname can also be an IP address.`

			`Both the CA and the cert are valid for 30 days.`

			`## Usage`

			```
			`./CA.sh example.org`
			```

			`## Optional dependencies`

			- `ipcalc-ng`, for detecting if the supplied hostname is an IP address.
			- `idn`, for converting [IDNs](https://en.wikipedia.org/wiki/Internationalized_domain_name) to punycode.

			`## Adding the CA to the Android trust store`

			`The reason I wrote this script was to intercept an Android app's TLS-encrypted traffic. In order to do this, the CA cert must be added to the Android trust store. Here's how:`

			`In Android versions prior to 4, see http://wiki.cacert.org/FAQ/ImportRootCertAndroidPreICS`

			`In Android versions 4, 5 and 6, you can simply copy the file to your phone and add it from the Android UI.`

			`In Android 7+, in order for the CA to be trusted by all apps, you need to have a rooted phone. Allow USB debugging, grant root access for ADB, connect the phone to a computer and run the following commands:`

			```
			`# restart ADB as root`
			`adb root`
			`# remount the /system partition as read+write`
			`adb remount`
			`# copy the CA file to the root store`
			`adb push CA/android/*.0 /system/etc/security/cacerts/`
			```

			`Then you can spoof a domain's IP address by adding it to the Android system's hosts file:`

			```
			`adb shell 'echo "192.168.0.2 example.org" >> /system/etc/hosts'`
			```

			`To allow TLS interception on a non-rooted phone, you need to slightly modify the app you are snooping on, as described in:`

			`- https://medium.com/androgoat/intercept-https-traffic-from-android-app-androgoat-part-2-60f7777b237d`
			`- https://stackoverflow.com/a/22040887`

			`If the app uses certificate pinning, you may need a program like [Apktool](https://ibotpeaches.github.io/Apktool/), [Frida](https://frida.re/docs/android/) or [baksmali](https://github.com/JesusFreke/smali).`

			`Thanks to Soarez for his [OpenSSL CA guide](https://gist.github.com/Soarez/9688998)!`