Install CA on Windows

On Windows, Probe’s CA goes into the Trusted Root Certification Authorities store. Once it’s there, every app that uses WinINET, WinHTTP, or schannel — Edge, Chrome, the .NET stack, native Win32 apps — accepts certificates Probe signs on the fly.

The MITM CA is generated locally the first time Probe runs and lives in %USERPROFILE%\.probe\probe_ca\. It is not the same as the code-signing CA the ProbeBootstrap.exe installer trusts machine-wide — that one only exists so future signed installers pass SmartScreen. You still need to add the MITM CA to your trust store before HTTPS traffic is decryptable.

One-click install (recommended)

Probe ships with a menu item that runs certutil for you and reports the result.

1. Launch Probe at least once so %USERPROFILE%\.probe\probe_ca\ is created.

2. From the toolbar or app menu, choose Install CA Certificate….

3. Probe shells out to certutil -addstore -user Root <cert.der>, which adds the CA to the Current User → Trusted Root Certification Authorities store. No UAC prompt — the per-user store doesn’t need elevation.

4. A confirmation dialog reports success. The shield indicator in the toolbar flips green and any “CA not trusted” banner disappears.

If you’d rather install the CA at the machine level (so services running as other users also trust it), use one of the manual paths below — they require admin.

Manual install

Use this if the one-click install failed, you want machine-wide trust, or you copied the Probe data dir from another machine.

GUI

1. With Probe running, open this URL in any browser on the machine:

   http://localhost:9098/download/cert.pem

2. Save the file as probe_ca.pem.

3. Double-click the file. The Certificate dialog opens. Click Install Certificate….

4. On the Store Location screen, pick Local Machine. UAC prompts for admin — accept. (Picking Current User trusts the CA only for your account; most apps still work, but services running as other users won’t.)

5. On the Certificate Store screen, choose Place all certificates in the following store, click Browse…, and select Trusted Root Certification Authorities.

6. Click Next, then Finish. Windows shows the security warning dialog with the CA’s thumbprint. Click Yes to confirm.

7. You see “The import was successful.” The CA is now in the root store.

PowerShell

Run as Administrator:

$pem = "$env:USERPROFILE\.probe\probe_ca\cert.pem"
Import-Certificate -FilePath $pem -CertStoreLocation Cert:\LocalMachine\Root

If you’d rather install for the current user only (no admin required):

Import-Certificate -FilePath $pem -CertStoreLocation Cert:\CurrentUser\Root

Verify it works

1. Click Start in Probe’s toolbar.

2. Open Edge or Chrome and visit:

   https://example.com

3. In Probe, select the example.com entry in the traffic list. The Detail panel should show the response status, headers, and HTML body — not just a CONNECT example.com:443 line.

4. To confirm from the command line, in a new PowerShell window:

   Invoke-WebRequest https://example.com | Select-Object StatusCode

   Probe should log the request. If you get a certificate error, the CA isn’t trusted — re-check the install.

Troubleshooting

SEC_E_UNTRUSTED_ROOT or ERR_CERT_AUTHORITY_INVALID. The cert wasn’t placed in Trusted Root Certification Authorities, or it landed in the wrong store location. Open certmgr.msc (Current User) and certlm.msc (Local Machine), search for probe_ca, and confirm it’s under Trusted Root Certification Authorities → Certificates in at least one of them.

Firefox shows the cert as untrusted. Firefox keeps its own certificate store and ignores the Windows root store unless you flip a preference. Open about:config, set security.enterprise_roots.enabled to true, and restart Firefox. After that it picks up the Windows trust list.

WSL / Linux apps don’t trust the cert. WSL has its own trust store. Copy probe_ca.pem into the WSL distro and append it to the system bundle:

sudo cp /mnt/c/path/to/probe_ca.pem /usr/local/share/ca-certificates/probe_ca.crt
sudo update-ca-certificates

(Note the rename to .crt — update-ca-certificates only picks up that extension.)

The CA disappeared after a Windows update. Some Windows updates rebuild the user trust list. Re-run the installer or reimport with PowerShell.

Uninstalling

If you stop using Probe, remove the CA from the trust store. Open certlm.msc, navigate to Trusted Root Certification Authorities → Certificates, find probe_ca (and guide_proxy_ca if you upgraded across the rename), right-click, and delete. Otherwise the CA stays trusted indefinitely.

Next steps

Connect a phone Point an iPhone or Android device at Probe.

Capture your first request Walk through Probe's UI with a real example.