Custom Certificates

1. What's it?

Proxyman supports Custom Root Certificate, Server Certificates, and Client Certificates that allow you to add your certificate that Proxyman uses to establish the SSL-Connection between your clients, servers, and Proxyman app.

2. Certificate Formats

Proxyman accepts the following formats:

• PKCS #12 (p12).

• PEM or DER Private Key and Certificate file.

3. Certificate Requirement on macOS 10.15+ and iOS 13+

If you're using a custom Root Certificate or Server Certificate on macOS 10.15 or iOS 13, you might encounter the failed handshake on Safari or iOS devices if the following requirements don't meet:

• RSA Key must have a key size is greater than 2048 bits

• The hash algorithm is SHA-2 family

• DNS Name of the server must be present on Subject Alternative Name. Common Name is no longer trusted

• Valid certificate (Current day is in Not Before and Not After)

• TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.

Read more https://support.apple.com/en-us/HT210176

4. Common issues

5. How to use

• Access from Certificate Menu -> Add Custom Certificate

6. How to generate self-signed certificates for Custom Root Certificate that comply with new Apple's Security Requirements

Due to Apple's requirements from iOS 13 and Catalina (10.15), It requires extra configuration to generate the self-signed certificate properly.

The following steps will guide you on how to do it properly:

1. Prepare a cert.config file on the Desktop folder

[ ca ]
default_ca    = CA_default
[ CA_default ]
default_md    = sha256
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage=critical,keyCertSign
extendedKeyUsage = serverAuth,clientAuth
[ req ]
prompt = no
distinguished_name    = req_distinguished_name
[ req_distinguished_name ]
C=US
L=US
O=Proxyman LLC
CN=proxyman.dev
OU=Proxyman

• Please update values for C, L, O, CN, and OU parameters.

2. Generate RSA Key in the Terminal app. (Replace your_password with any password, e.g. 123456)

cd ~/Desktop
openssl genrsa -aes256 -passout pass:your_password -out key.pem 2048

3. Generate the self-signed certificate and private key. (Replace your_password with the password in step 2)

openssl req -x509 -new -nodes -passin pass:your_password -config cert.config -key key.pem -sha256 -extensions v3_ca -days 825 -out root-ca.pem

4. Convert to p12 format. (Replace your_password with the password in step 2)

openssl pkcs12 -export -legacy -out root-ca.p12 -in root-ca.pem -inkey key.pem -passin pass:your_password -passout pass:your_password

5. Finally, you would have root-ca.p12 file and move to the next step

7. Import as a Custom Root Certificate

1. Go to Certificate Menu -> Custom Certificate -> Select Root Certificate Tab

2. Click Import button -> P12

3. Select root-ca.p12 file and enter the password.

4. Trust your custom certificate in Keychain Access App:

• Open Keychain Access App

• Search for the certificate you've added. The name might be the common name (CN) of the certificate

• Double Click to open and select Always Trust

• Click "X" and save the change

5. Please verify that you can see the Green Tick that shows the certificate is installed and trusted properly.

8. Import as a Server/Client Certificate

For custom Server/Client certificates, you should not generate a self-signed certificate. Please ask your workmate or team lead about the certificate that the company is using. It could be in DER/PEM or P12 format.

Then import the certificate as a Server / Client Certificate in Custom Certificate Window.