Skip to content →

SSL Certificates

Charles generates its own certificates for sites, which it signs using a Charles Root Certificate, which is uniquely generated for your installation of Charles (as of v3.10). You will see a warning in your browser, or other application, when it receives that certificate because the Charles Root Certificate is not in your list of trusted root certificates. See SSL Proxying.

You can choose to permanently trust each site's certificate as you encounter it, in which case you do not need to trust the Charles Root Certificate. If you would like to automatically trust every certificate issued by Charles, continue with these instructions.

The following instructions are for different browsers and applications to help you trust your Charles Root Certificate so you no longer see certificate warnings.

Note that the Charles Root Certificate approach changed with version 3.10 of Charles, so if you have already followed this procedure for an older version of Charles you will need to do it again.

Windows / Internet Explorer

In Charles go to the Help menu and choose "SSL Proxying > Install Charles Root Certificate". A window will appear warning you that the CA Root certificate is not trusted.

Click the "Install Certificate" button to launch the Certificate Import Wizard. The certificate must be imported into the "Trusted Root Certification Authorities" certificate store, so override the automatic certificate store selection.

Complete the wizard and your Charles Root Certificate is now installed. You may need to restart IE before the installation takes affect.

Mozilla Firefox

After installing the Charles Add-on for Mozilla, go to the Tools menu, the Charles submenu, and choose the "Install Charles Root Certificate" option.

You will be presented with a certificate import dialog. Tick the option "Trust this CA to identify websites" and complete the import.

Mac OS X

In Charles go to the Help menu and choose "SSL Proxying > Install Charles Root Certificate". Keychain Access will open, and prompt you about the certificate. Click the "Always Trust" button. You will then be prompted for your Administrator password to update the system trust settings.

You may need to quit and reopen Safari to see the change.

iOS devices

First set your iOS device to use Charles as its HTTP proxy in the Settings app > Wifi settings. Then open Safari and browse to http://www.charlesproxy.com/getssl. Safari will prompt you to install the SSL certificate. Now you should be able to access SSL websites with Charles using SSL Proxying.

Note for iOS 9: You need to disable App Transport Security in your app to use Charles SSL Proxying with SSL sites. To disable ATS you need to add keys to your app's Info.plist file, as below. See this tech note from Apple for more information. You must remember to re-enable ATS before you release your app to take advantage of the security that ATS provides.

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
  <true/>
</dict>

iOS Simulators

Quit your iOS Simulator. Launch Charles and go to the Help menu. Choose the "SSL Proxying > Install Charles Root Certificate in iOS Simulators" item. This will install your Charles Root Certificate into all of your iOS Simulators. Now when you start the iOS Simulator, you should be able to access SSL websites with Charles using SSL Proxying.

Note for iOS 9: You need to disable App Transport Security in your app to use Charles SSL Proxying with SSL sites. See the note under iOS devices above.

Google Chrome

On Mac OS X, please follow the instructions for Mac OS X above. These instructions only apply on Windows.

In Charles go to the Help menu and choose "SSL Proxying > Save Charles Root Certificate". Save the root certificate (as a .crt) to your desktop, or somewhere where you can easily access it in the next step.

In Chrome, open the Options dialog, go to the "Under the Hood" tab, then click the "Manage certificates" button.

Go to the Trusted Root Certification Authorities tab and click Import.

Find the certificate file you saved from Charles in the previous step, then click Next and Finish, leaving the default options, until you complete the import. Chrome will now always trust certificates signed by Charles.

After importing you can delete the certificate file that you saved, cleaning up your desktop!

Java Applications

You can add your Charles Root Certificate to your root certificate trust store in Java, then all Java applications will trust the certificates that Charles issues. Note that you may need to do this each time you upgrade your Java installation.

In Charles go to the Help menu and choose "SSL Proxying > Save Charles Root Certificate". Save the root certificate (as a .crt) to your desktop, or somewhere where you can easily access it in the next step.

Now find the cacerts file, it should be in your $JAVA_HOME/jre/lib/security/cacerts, where JAVA_HOME is your java home directory for the JVM you’re using.

Then type (substituting for JAVA_HOME and DESKTOP): keytool -import -alias charles -file DESKTOP/charles-ssl-proxying-certificate.crt -keystore JAVA_HOME/jre/lib/security/cacerts -storepass changeit

(changeit is the default password on the cacerts file)

Then try: keytool -list -keystore JAVA_HOME/jre/lib/security/cacerts -storepass changeit

If you have multiple Java installations you may need to work out which ones you’re using to run your application and do this on the appropriate one. Or do it on all of your Java installations.