Not matter you are a network app developer or network administrator, you may need to debug or troubleshoot encrypted network protocol HTTPS. Wireshark is a powerful and useful tool that we use in troubleshooting. If the traffic, however, is encrypted, the network traffic you captured is useless.



Look at the figure above that there is TLSv1 protocol and application data is encrypted. We can’t tell a thing with the encrypted data. Wireshark is able to use server private key and decrypt the packets. To decrypt the packets, we need first get the private key from the server. Note that the private key is on the server not the client machine (you must know where to find the certificate on a browser). So don’t think you can use a client private key to hack a server’s encryption. Let’s see how to get the private key from the server.

Step 1. Export private key

Open IIS Manager > right-click website > Properties Directory Security > View Certificate



Open Details tab > Copy to File > Choose Yes, export the private key



Choose Personal Information Exchange – PKCS #12 (.PFX) with all three options below unchecked



You are required to use a password to protect the private key, this screen can’t be skipped.



Specify a location and a file to save the file (note that the extension is .pfx)



Done, the .pfx file is what we want.

Step 2. Extract the private key from .pfx to .pem

To extract the private key, we need to use a tool – OpenSSL – an open source toolkit implementing the SSL and TLS v1 protocols. Download OpenSSL. Use the command below to extract the private key.

Code:

openssl pkcs12 -in test.pfx -nocerts -out privateKey.pem -nodes

This command uses the text.pfx and extracts it to a new file format .pem. During extracting, you need to enter the password you used in Step 1.

Step 3. Load the private key to Wireshark

Run Wireshark > Edit Preferences Protocols SSL



In RSA keys list, type the command below:

Code:

10.88.229.196,443,http,C:\privateKey.pem

10.88.229.196: the server IP address
443: HTTPS port number
HTTP: target protocol you want decrypt the packets to.
C:\privateKey.pem: the private key extracted in step 2.

Once you click OK, you’ll see the changes. Now on Wireshark, the TLSv1 packet is decrypted to HTTP already.