Install CA on macOS

To inspect HTTPS traffic from apps running on the same Mac as Probe — Safari, Chrome, the iOS Simulator, native apps that use URLSession — you install Probe’s CA into the System keychain and mark it as trusted for SSL.

This is a one-time setup per machine. After it’s done, any HTTPS connection from any app on this Mac that respects the system trust store will work transparently with Probe running.

Install the certificate

1. Make sure Probe is running. The CA download server only responds while the app is open.

2. In a browser, open:

   http://localhost:9098/download/macos

   The browser downloads probe_ca.pem (a few KB).

3. In Finder, double-click probe_ca.pem. Keychain Access opens and adds the certificate to the login keychain by default. That’s the wrong keychain — you want System, so it applies to every user and every app on the machine.

4. In Keychain Access, drag the certificate from login into System. macOS prompts for your administrator password.

5. The cert is now in the System keychain but is still not trusted — it appears with a red × on the icon. Continue to the next section.

Mark it as trusted

1. In Keychain Access, select System in the left sidebar, then find the certificate.

   The name is probe_ca. If you upgraded from an older version of Probe, you may also see guide_proxy_ca — same purpose, older naming. You can leave both, or remove the legacy one once probe_ca is trusted.

2. Double-click the certificate. A details window opens.

3. Expand the Trust section at the top.

4. Set When using this certificate to Always Trust. macOS will fan out every individual usage to “Always Trust” — that’s expected.

5. Close the details window. macOS prompts for your administrator password again to commit the trust setting.

6. Quit and re-open any browser or app that was already running — they cache the trust store at launch and won’t pick up the change otherwise.

Doing it from the command line

If you script your dev environment, the equivalent admin command is:

sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain \
  ~/.probe/probe_ca/cert.pem

This adds the cert to the System keychain and marks it as a trusted root in one step.

Verify it works

1. With Probe running and Start clicked, open a fresh browser tab and load:

   https://example.com

2. Switch to Probe. The traffic list should show an entry for example.com with status 200, response headers, and a viewable HTML body in the Detail panel.

3. If the request shows CONNECT example.com:443 and nothing else, the CA isn’t trusted yet. See troubleshooting below.

Troubleshooting

The cert installed but Probe still shows opaque CONNECT lines. You almost certainly missed step 4 of “Mark it as trusted”. A cert in the keychain that isn’t explicitly trusted is treated as unknown. Re-open the cert, set Always Trust, save.

Browser shows NET::ERR_CERT_AUTHORITY_INVALID even though the cert is trusted. Chrome and Firefox each maintain their own trust store policies on top of the system one. Chrome on macOS uses the system keychain, so quit and re-launch it. Firefox does not use the system keychain — see Firefox’s documentation for adding a CA to its own store, or use a system-level browser for debugging.

Two certificates appear, probe_ca and guide_proxy_ca. You upgraded across the rename. Both are valid; new traffic is signed by probe_ca. You can delete guide_proxy_ca from the System keychain once you confirm probe_ca is working.

Curl from the terminal still fails certificate verification. curl uses its own bundled root list from libcurl, not the keychain. Either pass the CA explicitly:

curl --cacert ~/.probe/probe_ca/cert.pem -x http://127.0.0.1:9099 https://api.example.com

or set CURL_CA_BUNDLE=~/.probe/probe_ca/cert.pem for the duration of your session.

Next steps

Connect a phone Route iOS or Android traffic through Probe.

Capture your first request Walk through Probe's UI with a real example.