AdguardForMac icon indicating copy to clipboard operation
AdguardForMac copied to clipboard
verified publisher icon AdguardTeam

Feature Support: add suport for custom MitM CA

Open ZeroClover opened this issue 4 years ago • 5 comments

At present, AdGuard will generate a separate CA certificate for each installation, which does cause certain obstacles when using the local network HTTP proxy.

For example, since AdGuard is installed on a personal computer rather than a server, these devices may need to be installed with system updates and cannot be used for a long time. To switch the HTTP proxy to another device with AdGuard installed, the certificate must be reinstalled.

After replacing the computer, we also need to install new certificates for other devices in the local network, which is very troublesome for the TV boxes (such as Apple TV).

If you allow advanced users to customize the CA certificate, it helps to install a unified MitM CA on all devices without installing many CA certificates.

ZeroClover avatar Feb 03 '21 13:02 ZeroClover

Hello there!

It's actually a good idea. We plan to add a certificate to the export settings. The export will tentatively be added in the next updates of AdGuard.

https://github.com/AdguardTeam/AdguardForMac/issues/514

Chinaski1 avatar Feb 04 '21 13:02 Chinaski1

@Chinaski1

Is it possible to make it possible for AdGuard to use a custom CA certificate (rather than the CA certificate generated during AdGuard installation) to take advantage of an existing CA that has been issued through the MDM.

Since AdGuard for iOS can only use DNS filtering and Safari content filters, it cannot fully filter all ads. Setting the iPhone's HTTP proxy to the full version of AdGuard running on a Mac or Windows may help filter more ads. But installing separate certificates for each iOS device is a hassle.

ZeroClover avatar May 12 '21 12:05 ZeroClover

@ZeroClover you can export AdGuard's cert if you visit http://local.adguard.org/cert.

This link would also work if you configure your iOS devices to use AdGuard's HTTP proxy.

ameshkov avatar May 12 '21 13:05 ameshkov

@ameshkov Yes, but different AdGuard installations use different CAs. Since I need to move around multiple networks, I would like to use the same CA.

Also, configuring CA certificates for each AdGuard Windows / Mac installation on a larger number of iOS devices (20+) is a huge undertaking, especially since these CA certificates have the same name and completely different content, and maintaining them is very difficult :(

It is also helpful if there is a way to standardize the CA certificates used by multiple AdGuard installations.

ZeroClover avatar May 12 '21 13:05 ZeroClover

I see. Probably, could be exposed via advanced settings.

ameshkov avatar May 12 '21 13:05 ameshkov