Install CA on iOS / iPadOS

iOS and iPadOS need Probe’s CA in two places: installed as a configuration profile, and explicitly enabled in Certificate Trust Settings. Skipping the second step is the single most common reason HTTPS interception silently fails on iPhones.

Before you start, the phone must be on the same Wi-Fi as the Mac or PC running Probe, and Probe must be running. Verify by opening Safari on the phone and loading http://<probe-host>:9098 — you should see the CA download landing page.

Install the profile

1. On the iPhone or iPad, open Safari (the profile installer only triggers from Safari — Chrome, Firefox, and other browsers download the file but won’t hand it off to Settings).

2. Visit the CA landing page using the host machine’s LAN IP:

   http://<probe-host>:9098

   Replace <probe-host> with the IP shown in Probe’s toolbar status card — for example http://192.168.1.42:9098.

3. The page detects iOS and shows an Install for iOS button. Tap it.

4. Safari shows “This website is trying to download a configuration profile. Do you want to allow this?” — tap Allow.

5. iOS pops a banner: “Profile Downloaded — Review the profile in Settings if you want to install it.” The profile is now waiting in Settings; it isn’t applied yet.

6. Open Settings on the device. Near the top, under your Apple ID, tap Profile Downloaded.

   On iPadOS or older iOS versions, this entry may live at Settings → General → VPN & Device Management instead.

7. Tap Install in the top right. The system asks for your device passcode, then shows a warning that the profile is not signed and the certificate will be added to the trust store. Tap Install again, then Done.

The profile is now installed — but iOS still won’t use the CA for HTTPS interception until you enable it explicitly.

Enable trust for the CA

This step is required

On iOS 10.3 and later, Apple requires every CA installed via profile to be manually flipped on under Certificate Trust Settings. Until you do this, the CA exists on the device but is treated as untrusted. Your traffic will still show as opaque CONNECT lines in Probe, and you’ll think the install failed. It didn’t — finish step 2 below.

1. Open Settings → General → About.

2. Scroll to the bottom and tap Certificate Trust Settings.

3. Under Enable Full Trust For Root Certificates, find probe_ca (or guide_proxy_ca if you installed before the rename) and toggle it on.

4. iOS shows a confirmation dialog warning that other apps installed on the device will be able to access secure traffic. That warning is exactly the point: you’re telling the device that Probe’s CA is allowed to forge leaf certs. Tap Continue.

The toggle stays on across reboots. You only do this once per device until you uninstall the profile.

Verify it works

1. Make sure the device’s Wi-Fi proxy points at Probe — see Mobile Setup if you haven’t done this yet.

2. In Probe, click Start.

3. On the phone, open Safari and load:

   https://example.com

4. In Probe’s traffic list, find the example.com entry. The Detail panel should show the full HTML response, headers, and a 200 OK status. If it does, HTTPS interception is live.

5. If you instead see only CONNECT example.com:443 and no body, the CA is installed but trust is not enabled. Go back to step 3 of the previous section.

Why iOS needs this dance

Probe signs each leaf certificate with IsCa::ExplicitNoCa and the right SAN/extension set so that iOS will accept it. Apple is strict about the chain: certificates installed via profile carry restrictions by default, and the user has to explicitly opt the CA into full trust before the system will use it for general TLS validation. There’s no way around this from the host side — the toggle has to be flipped on the device.

Troubleshooting

The phone never shows the “Profile Downloaded” prompt. You used Chrome or another browser. Switch to Safari and reload the URL — only Safari hands profile downloads off to Settings.

The Install button is grayed out. Some iOS releases require a passcode set on the device before any profile can be installed. Set a passcode in Settings → Face ID & Passcode and try again.

Traffic still shows as CONNECT host:443 only. The single most common cause: trust isn’t enabled. Re-check Settings → General → About → Certificate Trust Settings and confirm the toggle is on for probe_ca.

App-pinned traffic is still opaque. Some apps pin certificates and refuse to talk to anything that doesn’t present the original cert. There’s nothing the OS-level trust store can do about that — see HTTPS Interception for workarounds, including the iOS Simulator and SSL kill-switch tooling.

iPad with managed device profile. Devices enrolled in MDM may block manual profile installs. Ask your device admin to whitelist user-installed profiles, or test on an unmanaged device.

Removing the CA

When you’re done debugging on a device, remove the profile so the CA is no longer trusted. Go to Settings → General → VPN & Device Management, tap the Probe profile, and tap Remove Profile. The CA is purged from the trust store immediately.

Next steps

Mobile Setup Configure the iPhone's Wi-Fi proxy.

Capture your first request Verify traffic flows end-to-end.