Charles can be used as a man-in-the-middle HTTPS proxy, enabling you to view in plain text the communication between web browser and SSL web server.
Charles does this by becoming a man-in-the-middle. Instead of your browser seeing the server’s certificate, Charles dynamically generates a certificate for the server and signs it with its own root certificate (the Charles CA Certificate). Charles receives the server’s certificate, while your browser receives Charles’s certificate. Therefore you will see a security warning, indicating that the root authority is not trusted. If you add the Charles CA Certificate to your trusted certificates you will no longer see any warnings – see below for how to do this.
Charles still communicates via SSL to the web server. The communication is SSL (encrypted) from web browser to Charles and also SSL (encrypted) from Charles to the web server.
This functionality is essential for debugging secure (SSL) web applications.
You may turn on or off this SSL proxying in the Proxy Preferences. With SSL proxying turned off Charles just forwards all SSL traffic directly to the target web server.
Choosing hosts to SSL Proxy
You must specifically identify the host names you want to enable SSL Proxying on. The list is in the Proxy Settings, SSL tab. You can also right-click on a host name in the structure view and turn on or off SSL Proxying.
After adding a host name to the SSL Proxying list you may need to restart Charles for existing browser sessions to change.
If you want to SSL Proxy all host names then enter * into the host names list in the Proxy Settings, SSL tab.
Trusting Charles's SSL Certificates
Charles generates its own certificates for sites, which it signs using the Charles CA Certificate. You will see a warning in your browser, or other application, when it receives that certificate because the Charles CA Certificate is not in your list of trusted root certificates.
See SSL Certificates for instructions for trusting Charles’s CA Certificate.