I had a similar request but I need a MITM proxy to add headers to the request for TLS encrypted endpoints. Normally TLS Interception using CA is the way to go. Just in our environment we cannot issue private CAs but the endpoints we need to serve are limited and we can issue new certificate for such domains.
As an example I can issue a certificate with domain name myservice.dummy.com then I expect it to work with
-- truncated --
X509v3 Subject Alternative Name:
DNS:myservice.dummy.com
X509v3 Certificate Policies:
Policy: 1.2.840.113635.100.5.15.2
User Notice:
Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.
CPS: xxx
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:
X509v3 Subject Key Identifier:
EB:56:1E:E4:30:72:42:CA:26:C2:D3:F5:8D:5B:D4:F0:A1:D6:93:E3
X509v3 Key Usage: critical
Digital Signature
1.2.840.113635.100.6.86:
ca-certificates.crt contains the corporate certificate chain.
I had a similar request but I need a MITM proxy to add headers to the request for TLS encrypted endpoints. Normally TLS Interception using CA is the way to go. Just in our environment we cannot issue private CAs but the endpoints we need to serve are limited and we can issue new certificate for such domains.
As an example I can issue a certificate with domain name myservice.dummy.com then I expect it to work with
curl -x localhost:8899 https://myservice.dummy.com
unfortunately it fails with
I start the proxy with flags
Where the tls.crt with
ca-certificates.crt
contains the corporate certificate chain.