Skip to content

Install and Manage Certificates

To capture HTTPS with a proxy, the first step is to have devices and software trust this tool’s root certificate, otherwise you get TLS errors and cannot decrypt. Certificate management makes this one-click and comprehensive: this machine, phones, and even those programs that “still don’t trust it after the system certificate is installed” can all be set up.


  • Check at any time whether this machine already trusts this tool’s root certificate.
  • “Install and trust on this machine” with one click, once and done, after which every session can decrypt HTTPS.
  • When needed, download the root certificate (multiple formats) to distribute manually.

Certificate management: one-click install of the machine trust status, multi-format download, full coverage of independent trust stores such as Java / Python / OpenSSL, and generation of a QR code for phone installation


2. Install on a phone by scanning a QR code

Section titled “2. Install on a phone by scanning a QR code”
  • Generate a QR code for each usable address on the LAN; scan it with the phone camera, open the install page, and set up the certificate, supported on both iOS and Android.
  • iOS additionally offers a one-click configuration profile install.
  • Rooted Android devices can install the root certificate directly into the system certificate store, sparing you a manual import.
  • The root certificate is universally usable, and each device only needs to trust it once.

3. Full certificate coverage: even programs that “don’t trust the system certificate” can be decrypted

Section titled “3. Full certificate coverage: even programs that “don’t trust the system certificate” can be decrypted”

Some programs still cannot be decrypted even with the system certificate installed, because they only trust their own certificate list. Full certificate coverage installs the root certificate directly into these programs, so they too can be decrypted:

  • Java programs
  • Python programs
  • Command-line and scripting tools such as curl / wget / Ruby / PHP / git
  • Software such as Firefox / Thunderbird

The tool automatically discovers this software on your machine (including what is currently running) and shows “installed / not installed” for each. If auto-discovery misses something, you can also enter the path manually to add it.

This is exactly the perennial headache of ordinary capture tools: the certificate is installed, yet the program still cannot be decrypted. Full certificate coverage is the cure for this.


If the target site requires a client certificate and you happen to have one, import it (with password) on the “Client / Domain certificates” page, and then these sites can be decrypted normally when you capture them.


  • Before capturing HTTPS with a proxy for the first time, have this machine / phone trust the root certificate.
  • Capturing on a phone: scan the QR code to install the certificate.
  • When the target is a program such as Java / Python / curl / Firefox and decryption fails: use full certificate coverage to install the certificate into them.

Back to Proxy Capture · Related: Clear Certificate Pinning