WARP Client SSL Decryption Certificate on Linux & Container

WARP has the ability to decrypt TLS traffic in order to provive visibility into traffic. With this functionality you can better control HTTP applications, control files, and control malware.

If you are running Linux in a VM or container on your host running WARP this post will walk you through how to deploy the certificate in the VM/container so that all the CLI tools will continue to work without getting an SSL error.

Prior to deploying the certificate command line tools will give SSL errors. If you were to run a command like openssl s_client -connect bagof.ninjastars.cf:443 you will get an error like this;

CONNECTED(00000003)
depth=1 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", OU = Gateway Intermediate ECC Certificate Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ninjastars.cf
verify return:1
---

Step 1 - Get the Certificate

Get this cert onto the system in whichever way you can, https://developers.cloudflare.com/cloudflare-one/9922abcf75b55a3bb68a8e42ebe5c4a5/Cloudflare_CA.crt

• curl -o Cloudflare_CA.crt https://developers.cloudflare.com/cloudflare-one/9922abcf75b55a3bb68a8e42ebe5c4a5/Cloudflare_CA.crt
• wget https://developers.cloudflare.com/cloudflare-one/9922abcf75b55a3bb68a8e42ebe5c4a5/Cloudflare_CA.crt
• docker cp Cloudflare_CA.crt containername:/path/where/you/want/it

Step 2 - Convert Format

The certificate is delivered in DER format, which is a binary encoded X509. Linux typically wants plain text format which is what this step provies.

  openssl x509 -in Cloudflare_CA.crt -inform DER -out Cloudflare_CA.cert

You can cat each of these files to see that the new .cert file is now in plain text.

Step 3 - Move the Certificate

To get the system to import the certificate, move it into the appropriate directory.

Be sure to name the extension of your decoded certificate .crt. Also note that the destination path for your certificate may be /usr/share/ca-certificates.

  cp Cloudflare_CA.cert /usr/local/share/ca-certificates/CloudflareCA.crt

Step 4 - Import the Certificate

The following command will import the certificate into the system trust store.

  update-ca-certificates

Step 5 - Validate the Change

Re-run the openssl command above, openssl s_client -connect bagof.ninjastars.cf:443 and you will get a more positive response that does not include the verify error.

CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = bagof.ninjastars.cf
verify return:1