Charles Proxy Certificate Download
Fenna Jaggers
Charles generates its own certificates for sites, which it signs using a Charles Root Certificate, which is uniquely generated for your installation of Charles (as of v3.10). You will see a warning in your browser, or other application, when it receives that certificate because the Charles Root Certificate is not in your list of trusted root certificates. See SSL Proxying.
You can choose to permanently trust each site's certificate as you encounter it, in which case you do not need to trust the Charles Root Certificate. If you would like to automatically trust every certificate issued by Charles, continue with these instructions.
Click the "Install Certificate" button to launch the Certificate Import Wizard. The certificate must be imported into the "Trusted Root Certification Authorities" certificate store, so override the automatic certificate store selection.
In Charles go to the Help menu and choose "SSL Proxying > Install Charles Root Certificate". Keychain Access will open. Find the "Charles Proxy..." entry, and double-click to get info on it. Expand the "Trust" section, and beside "When using this certificate" change it from "Use System Defaults" to "Always Trust". Then close the certificate info window, and you will be prompted for your Administrator password to update the system trust settings.
As of Android N, you need to add configuration to your app in order to have it trust the SSL certificates generated by Charles SSL Proxying. This means that you can only use SSL Proxying with apps that you control.
In order to configure your app to trust Charles, you need to add a Network Security Configuration File to your app. This file can override the system default, enabling your app to trust user installed CA certificates (e.g. the Charles Root Certificate). You can specify that this only applies in debug builds of your application, so that production builds use the default trust profile.
In Charles go to the Help menu and choose "SSL Proxying > Save Charles Root Certificate". Save the root certificate as a Binary Certificate (.cer) to your desktop, or somewhere where you can easily access it in the next step.
Find the certificate file you saved from Charles in the previous step, then click Next and Finish, leaving the default options, until you complete the import. Chrome will now always trust certificates signed by Charles.
You can add your Charles Root Certificate to your root certificate trust store in Java, then all Java applications will trust the certificates that Charles issues. Note that you may need to do this each time you upgrade your Java installation.
In Charles go to the Help menu and choose "SSL Proxying > Save Charles Root Certificate". Save the root certificate as a Base 64 encoded certificate (.pem) to your desktop, or somewhere where you can easily access it in the next step.
On macOS the Java Plugin has its cacerts file at /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security. You should add the Charles root certificate to that cacerts file if you want applets running in your browser to trust Charles.
You can configure requests to trust your Charles Root Certificate. First save your certificate as a .pem file using the Help > SSL Proxying > Save Charles Root Certificate menu. Then configure your Session as follows:
Alternatively, you can change your code so that NSURLConnection accepts any SSL certificate. Please see the question and answer on Stack Overflow: -to-use-nsurlconnection-to-connect-with-ssl-for-an-untrusted-cert
If you're only browsing a single website in Safari you can just accept the certificate in Safari and that will work for that site. If the SSL site is only being used to load resources such as images, then you'll need to visit it directly and accept the certificate before it will work.
Note that some apps implement SSL certificate pinning which means they specifically validate the root certificate. Because the app is itself verifying the root certificate it will not accept Charles's certificate and will fail the connection. If you have successfully installed the Charles root SSL certificate and can browse SSL websites using SSL Proxying in Safari, but an app fails, then SSL Pinning is probably the issue.
I think my issue is that I dont have the certificate installed, when I go through Charles > SSL Proxying > Install Charles Root Certificate or through chls.pro/ssl. It will open Keychain Access but won't prompt for any install and I don't see it coming up on my list of keychains - see belowcharles screenshot
Finally, I found the problem. In my case, it was an expired certificate. In order to fix it, it is necessary to go to Help -> SSL Proxying -> Reset Charles Root Certificate.... It will generate a new one. Then it is needed to install it and grant trust to it.
Starting from iOS 10.3 SSL trust for the certificate has to be turned on manually for the manually installed certificate profiles in iOS so go to Settings > General > About > Certificate Trust Settings. Under Enable full trust for root certificates turn on trust for the certificate
I case you don't get the prompt for trusting the certificate (which means it stays untrusted ...) when installing it on OSX, you need to trust it manually in the keychain: Open the Keychain, search the Charles certificate, double click it, then choose Always trust for When using this certificate.
In Charles go to the Help menu and choose "SSL Proxying > Install Charles Root Certificate". A window will appear warning you that the CA Root certificate is not trusted. Click the "Install Certificate" button to launch the Certificate Import Wizard. The certificate must be imported into the "Trusted Root Certification Authorities" certificate store, so override the automatic certificate store selection. Complete the wizard and your Charles Root Certificate is now installed. You may need to restart IE before the installation takes affect.
After installing the Charles Add-on for Mozilla, go to the Tools menu, the Charles submenu, and choose the "Install Charles Root Certificate" option. You will be presented with a certificate import dialog. Tick the option "Trust this CA to identify websites" and complete the import.
In Charles go to the Help menu and choose "SSL Proxying > Install Charles Root Certificate". Keychain Access will open, and prompt you about the certificate. Click the "Always Trust" button. You will then be prompted for your Administrator password to update the system trust settings. You may need to quit and reopen Safari to see the change.
If you don't see the Charles certificate in your list, after downloading it from Safari, you should go to Setting -> General -> Profile -> Install Charles Certificate. And then trust under Settings > General > About > Certificate Trust Settings.
The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER
In the search box at the top of the page, type cert and Firefox should filter the list. Click "View Certificates" to open the Certificate Manager and click the "Authorities" tab. Then you can use the "Import" button to import the proxy server's certificate.
Tons of stuff: the actual content, supporting CSS, Javascript, images, and external hosts that have nothing to do with CNN, that I guess are some sort of tracking/analytics. Pretty informative, actually. Just try using some apps on your phone and see what kinds of data they send. (Or turn on Mac OS X proxying and do the same on your computer.)
curl is another amazing commandline tool for HTTP. You can perform any HTTP request/response and just watch things happen. Charlesproxy had handily already captured all the parameters, so all I needed to do was to navigate to the right tab to grab the POST parameters (the request in question was a POST)
So if I ran the above, indeed, the request showed up in my Charlesproxy next to the failing request from Android. Now it was really time for deep detective work and comparing each bit and piece of the requests.
If you use a TLS Proxy such as Charles, you essentially communicate with the proxy and the proxy communicates with the web server. So what stops an attacker from just using a TLS proxy? The certificate!
When you installed the TLS Proxy, the proxy generated a new CA-certificate, which you then imported. This means you gave the proxy the authority to create a certificate for any domain. For the purpose of being a proxy, this is fine.
Installed the certificate manually. By adding to the /etc/ca-certificates/trust-source/anchors/ folder
and team update
trust extract-compat
but Charless still displays the requests in encrypted form.
I ask for help
Just like we had to give Charles permission to sign SSL certificates on behalf of our browser on our laptop, we need to add them to our respective phones as well. In this case, I suggest you de-activate the Certificates on each phone after you are done using Charles if you are using your real phone and not a dedicated test device. See the very last step on this article to see how to do that.
Step 4: Now navigate to on your phone, which will ask for permission to install the root certificate. Follow all the approval steps until the certificate is successfully added to your phone.
1. Instead of connecting the Mac via USB to the phone, I connected it via wifi to the Mobile Hotspot
2. On Phone 2, set the proxy with the IP address of the Mac (which will be different than Phone 1 ip address)
Charles Proxy configuration
You can do it with the free demo version of Charles Proxy (just adds some delay in action and 30mn auto stop). Charles Proxy runs under Linux, Windows and MacOS. I used Linux (OpenSuse). It can be downloaded from here:
-release/
On Linux just untaring and run it from your home directory will do (no need to be root or to install anything).
I used the HTTP proxy mode (default mode).