Keyword MIM:certificate[/parameter]|exclude ... man-in-the-middle for proxy sessions (keyword PRX).
- Further hints and options concerning certificate loading can be found here.
This function is useful for debugging purposes to see the clear text of the TLS stream in proxy sessions.
If this keyword is specified for a proxy sessions and a CONNECT command has been sent from the client (source):
- the Application Gateway acts as a TLS server using the specified certificate
- and starts a TLS session as client to the destination.
Explicite certificate definition:
certificate specifies the certificate to be used.
exclude is optional and is a list of DNS names (names must contain ".") or groups separated by "|".
The group names must not contain ".". DNS names within groups must be separated by ",".
DNS names may start with * as wildcard. e.g. *.microsoft.com
For all matching destinations the Application Gateway does no TLS processing.
If certificate starts with character "!": Only for mentioned entries in exclude TLS processing will be done.
Examples:
MIM:cert.cer/LM ... use cert.cer for all connections
MIM:cert.pfx/passxyz|MIMexcl ... use cert.pfx for all connections except for those listed in group MIMexcl.
MIM:!cert.cer|MIMlist|*.xyz.com ... user cert.cer only for *.xyz.com and for those listed in group MIMlist.
MIM:!cert.cer/LM ... does not make sense because the certificate will never be used.
Automatic certificate generation:
Prerequisite is Windows Server 2016 or Windows 10 Professional (or higher, does not work for Windows Home!)
If MIM:$|exclude or MIM:*|exclude
or MIM:!$|exclude or MIM:!*|exclude is specified:
- The necessary certificates are generated automatically using the certificate defined by keyword MIMCA for signing.
- The generated certificates are stored as .cer and .pfx files to subdirectory GenCrt of the default directory.
- Subdirectory GenCrt will be created automatically.
- If a certificate is required and it has not been not loaded so far:
-- lookup in subdirectory GenCrt will be done
-- if not found: The certificate will be generated, stored and loaded.
- For definition of exclude and "!" processing see above.
If MIM:$... or MIM:!$... is specified: for each destination (DNS name) a separate certificate will be generated.
If MIM:*... or MIM:!*...is specified: wildcard certificates will be generated (CN starting with "*"), e.g. "*.orf.at"
If the keyword NOCHECK is specified: The certificate of the destination server will not be checked.
Keyword MIMCA:certificate[/parameter] ... load certificate for signing the generated certificates (keyword is valid only for manage entries)
- Further hints and options concerning certificate loading can be found here.
- This certificate must be a Certification Authority (CA) certificate and can be generated via PowerShell, see example:
$d=Get-Date 2028-12-31
New-SelfSignedCertificate -Type Custom -NotAfter $d -TextExtension @("2.5.29.19={critical}{text}ca=1&pathlength=2") -FriendlyName "my friendly name" -Subject "CN=my name,O=my organization" -KeyUsage DigitalSignature,CertSign -KeyAlgorithm RSA -KeyLength 4096 -CertStoreLocation "Cert:\CurrentUser\My"
- This certificate will be used for all proxy connections where certificate generation is required.
- The .cer file of this CA certificate must be installed into "Trusted Root Certification Authorities" of the clients in order to trust the generated certificates.
Examples (MIMCA must be specified for certificate signing):
MIM:* ... generate und use wildcard certificates for all connections
MIM:*|MIMexcl ... generate and use wildcard certificates for all connections except for those listed in group MIMexcl.
MIM:!*|MIMlist|*.xyz.com ... generate and use wildcard certificates only for *.xyz.com and for those listed in group MIMlist.
MIM:!* ... does not make sense because no DNS names are specified.
MIM:$|*.dropbox.com|MIMexcl ... generate ans use separate certificates for each destination and for all connections except for *.dropbox.com and those listed in group MIMexcl.
MIM:!$|MIMa|MIMb ... generate and use separate certificates for each destination and for those listed in groups MIMa and MIMb.
Hints:
If you have manage privileges you can list and unload the certificates via Tools Miscellaneous Tools at any time.
When the MIMCA certificate has been changed the certificates in directory GenCrt should be deleted and the certificates should be unloaded.
The life time of the certificates is 3 years.
Summary:
- Organize or generate a CA certificate.
- Store it (with private key) and reference it with keyword MIM in one manage routing entry.
- Decide if you build exclude or include lists (groups).
- Define a routing entry with keyword PRX and keyword MIM as necessary.
If a CONNECT command has been processed the keyword MIM will be changed as follows:
MxM ... no TLS processing
MaM ... TLS processing is active
This can be seen via the status command.