Proxyman supports Custom Root Certificate, Server Certificates, and Client Certificates that allow you to add your certificate that Proxyman uses to establish the SSL-Connection between your clients, servers, and Proxyman app.
Custom Certificate Type
How Proxyman uses
For intercepting HTTPS Traffic from clients that use SSL-Pinning
Use this certificate for SSL-Handshake to your Clients
For intercepting HTTPS Traffic from clients that use Mutual Authentication
Use this certificate for SSL-Handshake to specific Server
For intercepting HTTPS Traffic from clients and servers without using local Proxyman certificates
SSL Handshake for both clients & servers
Proxyman accepts the following formats:
PKCS #12 (p12)
PEM or DER Private Key and Certificate file
If you're using a custom Root Certificate or Server Certificate on macOS 10.15 or iOS 13, you might encounter the failed handshake on Safari or iOS devices if the following requirements don't meet:
RSA Key must have a key size is greater than 2048 bits
The hash algorithm is SHA-2 family
DNS Name of the server must present on Subject Alternative Name. Common Name is no longer trusted
Valid certificate (Current day is in Not Before and Not After)
TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
Read more https://support.apple.com/en-us/HT210176
Private Key and Certificate are not matched
Try different certificates and private key and make sure they are matched
Get SSL Handshake Error for custom certificates
Couldn't import certificate due to invalid passphrase
Ask your leader to give the correct passphrase to open the encrypted Private Key or P12 file
Access from Certificate Menu -> Add Custom Certificate
Due to Apple's requirements from iOS 13 and Catalina (10.15), It requires extra configuration to generate the self-signed certificate properly.
The following steps will guide you on how to do it properly:
Prepare cert.config file on Desktop folder
[ ca ]default_ca = CA_default[ CA_default ]default_md = sha256[ v3_ca ]subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuerbasicConstraints = critical,CA:truekeyUsage=critical,keyCertSignextendedKeyUsage = serverAuth,clientAuth[ req ]prompt = nodistinguished_name = req_distinguished_name[ req_distinguished_name ]C=SGL=SGO=ProxymanCN=proxyman.devOU=Proxyman
Please update values for C, L, O, CN, and OU param.
2. Generate RSA Key in the Terminal app. (Make sure you replace your_password to your real password)
cd ~/Desktopopenssl genrsa -aes256 -passout pass:your_password -out key.pem 2048
3. Generate the self-signed certificate and private key. (Make sure you replace your_password to your real password)
openssl req -x509 -new -nodes -passin pass:your_password -config cert.config -key key.pem -sha256 -extensions v3_ca -days 825 -out root-ca.pem
4. Convert to p12 format. (Make sure you replace your_password to your real password)
openssl pkcs12 -export -out root-ca.p12 -in root-ca.pem -inkey key.pem -passin pass:your_password -passout pass:your_password
5. Finally, you would have root-ca.p12 file and move to the next step
Go to Certificate Menu -> Custom Certificate -> Select Root Certificate Tab
Click Import button -> P12
Select root-ca.p12 and enter the password
Trust your custom certificate in Keychain App:
Open Keychain App
Search for the certificate you've added. The name might be the common name (CN) of the certificate
Double Click to open and select Always Trust
Click "X" and save the change
5. Please verify that you can see the Green Tick that shows the certificate is installed and trusted properly.
For custom Server/Client certificates, you should not generate a self-signed certificate. Please ask your workmate or team lead about the certificate that the company is using. It could be in DER/PEM or P12 format.
Then import the certificate as a Server / Client Certificate in Custom Certificate Window.
You don't need to trust on Keychain since it's not a Root Certificate