# CA.sh

## Generate CA + wildcard cert for any hostname

`CA.sh` takes a domain name as input and outputs a directory named "CA", containing:

- a certificate authority (private key + cert + serial number file + a copy of the cert appropriately named for inclusion in the Android trust store);
- a CA-signed cert for the provided hostname;
  - if the hostname is a domain, then a wildcard cert is generated, matching `domain.tld` and `*.domain.tld`;
  - the hostname can also be an IP address.

Both the CA and the cert are valid for 30 days.

## Usage

```
./CA.sh example.org
```

## Optional dependencies

- `ipcalc-ng`, for detecting if the supplied hostname is an IP address.
- `idn`, for converting [IDNs](https://en.wikipedia.org/wiki/Internationalized_domain_name) to punycode.

## Adding the CA to the Android trust store

The reason I wrote this script was to intercept an Android app's TLS-encrypted traffic.  In order to do this, the CA cert must be added to the Android trust store.  Here's how:

In Android versions prior to 4, see http://wiki.cacert.org/FAQ/ImportRootCertAndroidPreICS

In Android versions 4, 5 and 6, you can simply copy the file to your phone and add it from the Android UI.

In Android 7+, in order for the CA to be trusted by all apps, you need to have a rooted phone.  Allow USB debugging, grant root access for ADB, connect the phone to a computer and run the following commands:

```
# restart ADB as root
adb root
# remount the /system partition as read+write
adb remount
# copy the CA file to the root store
adb push CA/android/*.0 /system/etc/security/cacerts/
```

Then you can spoof a domain's IP address by adding it to the Android system's hosts file:

```
adb shell 'echo "192.168.0.2 example.org" >> /system/etc/hosts'
```

To allow TLS interception on a non-rooted phone, you need to slightly modify the app you are snooping on, as described in:

- https://medium.com/androgoat/intercept-https-traffic-from-android-app-androgoat-part-2-60f7777b237d
- https://stackoverflow.com/a/22040887

If the app uses certificate pinning, you may need a program like [Apktool](https://ibotpeaches.github.io/Apktool/), [Frida](https://frida.re/docs/android/) or [baksmali](https://github.com/JesusFreke/smali).

Thanks to Soarez for his [OpenSSL CA guide](https://gist.github.com/Soarez/9688998)!