Charles generates its own certificates for sites, which it signs using the Charles CA Certificate. You will see a warning in your browser, or other application, when it receives that certificate because the Charles CA Certificate is not in your list of trusted root certificates. See SSL Proxying.
You can usually choose to permanently trust each certificate as you encounter it, in which case you do not need to trust the Charles CA Certificate. If you would like to automatically trust every certificate issued by Charles, continue with these instructions:
The following instructions are for different browsers and applications to help you trust Charles’s CA Certificate so you no longer see certificate warnings.
Note that Charles’s CA Certificate changed with version 3.4 of Charles, so if you have already followed this procedure for an older version of Charles you will need to do it again.
Windows / Internet Explorer
In Charles go to the Help menu and choose "Install Charles CA SSL Certificate". A window will appear warning you that the CA Root certificate is not trusted.
Click the "Install Certificate" button to launch the Certificate Import Wizard. The certificate must be imported into the "Trusted Root Certification Authorities" certificate store, so override the automatic certificate store selection.
You will be asked to confirm the certificate thumbprint, it should read:
189B6E28 D1635F3A 8325E1E0 02180DBA 2C02C241
Complete the wizard and the CA SSL certificate is now installed. You may need to restart IE before the installation takes affect.
After installing the Charles Add-on for Mozilla, go to the Tools menu, the Charles submenu, and choose the "Install Charles CA SSL Certificate" option.
You will be presented with a certificate import dialog. Tick the option "Trust this CA to identify websites" and complete the import.
Mac OS X
Download and unzip the Charles CA Certificate bundle. The bundle contains the Charles CA Certificate file.
Run the Keychain Access utility from the Applications/Utilities folder. This tool enables you to manage your certificates.
Choose the "login" keychain then go to the File menu and choose Import. Choose the .crt file you downloaded above, and ensure that the login keychain is chosen in the dropdown menu.
Complete the import and the Charles CA SSL Certificate will now be trusted for your login account.
Move the Charles Proxy SSL Proxying certificate from your login keychain to the System keychain by drag-and-drop if you want all users on the machine to trust it.
You will need to quit and reopen Safari to see the change.
On Mac OS X, please follow the instructions for Mac OS X above. These instructions only apply on Windows.
Open the Options dialog, go to the "Under the Hood" tab, then click the "Manage certificates" button.
Go to the Trusted Root Certification Authorities tab and click Import.
Find the charles-proxy-ssl-proxying-certificate.crt file. On Windows and Linux it is in the docs directory in your Charles installation directory. On Mac OS X (or if you can’t find it) you can download and unzip ssl.zip.
Choose the charles-proxy-ssl-proxying-certificate.crt file, then click Next and Finish, leaving the default options, until you complete the import. Chrome will now always trust certificates signed by Charles.
After importing you can delete the charles-proxy-ssl-proxying-certificate.crt file if you downloaded it.
You can add the Charles CA Certificate to your root certificate trust store in Java, then all Java applications will trust the certificates that Charles issues.
Note that you may need to do this each time you upgrade your Java installation.
First find the cacerts file, it should be in your JAVA_HOME/jre/lib/security/cacerts, where JAVA_HOME is your java home directory for the JVM you’re using.
Note: On Mac OS X your must download and unzip the Charles CA Certificate bundle to get the charles-proxy-ssl-proxying-certificate.crt file required below. You will need to change the path to charles-proxy-ssl-proxying-certificate.crt accordingly. After importing you can delete the .crt file.
Then type (substituting for JAVA_HOME and CHARLES_DIR): keytool -import -alias charles -file CHARLES_DIR/docs/charles-proxy-ssl-proxying-certificate.crt -keystore JAVA_HOME/jre/lib/security/cacerts -storepass changeit
(changeit is the default password on the cacerts file)
Then try: keytool -list -keystore JAVA_HOME/jre/lib/security/cacerts -storepass changeit
If you have multiple Java installations you may need to work out which ones you’re using to run your application and do this on the appropriate one. Or do it on all of your Java installations.