Skip to main content
Version: 2.20.0

Install Certificate

Why should install a certificate?

Reqable uses the classic man-in-the-middle (MITM) technique to analyze HTTPS traffic. When the client communicates with Reqable proxy server (hereinafter referred to as MITM), the MITM needs to re-sign the SSL certificate of the remote server. In order to ensure the successful SSL handshake communication between the client and the MITM, it is necessary to install the MITM's root certificate (hereinafter referred to as CA Certificate) to the client's local certificate management center.

If the target client is a PC application, the CA Certificate needs to be installed in the certificate management center of the PC; if the target client is a mobile application, the CA certificate needs to be installed in the certificate management center of the mobile phone. If you do not need traffic analysis, you can ignore this step.

Tips

Reqable automatically generates a CA certificate for each user, and uses a random certificate key, so you don't have to worry about this certificate being exploited by a third party.

Desktop

Different desktop platforms (here mainly Windows/MacOS/Linux) have different certificate installation methods. In order to simplify the installation process, Reqable provides a one-click certificate installation way.

The certificate installation page is located on the top QuickBar, click the shield icon to open the pop-up window.

Just click Install Now:

After clicking, the system will pop up a confirmation pop-up window or enter the account password to authorize, just follow the prompts to confirm. If there is no accident, the certificate will be automatically installed successfully; if the automatic installation fails, you can switch to the Tab of Manual and follow the steps to install it manually.

Note that Chrome and Firefox on Linux devices have built-in certificate management systems, and you also need to install the CA certificate into the browser's certificate management center. Please follow the prompts in Reqable.

Installation Status

When the CA certificate is not installed or the installation fails, the shield icon is displayed in yellow; after the installation is successful, the shield icon is displayed in green.

Mobile

If you need to analyze mobile applications, you must install the CA certificate on the mobile device. We have built-in guidelines for installing Android and iOS certificates in Reqable. If you use desktop app, please switch to the tabs of Android and iOS to follow the steps to install. If you use mobile app, please goto Side Menu -> Certificate Management -> Install Root Certificate to Local-Machine, and choose a suitable solution to install.

danger

If you use the desktop app to analyze traffic, please install the CA root certificate on the computer to the mobile device; if you use the mobile app to analyze traffic directly, please install the CA root certificate on the mobile device.

The CA root certificate generated by Reqable for each device is different. If you want all devices to share the same CA root certificate, you can export the certificate in .p12 format and then import it on other devices.

Tips

After the mobile App is initialized and selects the collaborative mode and scans the qrcode to connect to the computer, the CA root certificate on the computer will be automatically synchronized to the current mobile device. At this time, the CA root certificate of the two devices is the same.

Android

There are two types of Android certificates: user certificates and system certificates. User certificates are located in the /data/misc/user/0/cacerts directory, and system certificates are located in the /system/etc/security/cacerts directory. The user directory does not require additional permissions to be modified, while the system directory requires permissions to unlock the system partition to be modified. You can choose any appropriate certificate installation solution according to the following scenarios.

1. Devices below Android 7.0

Devices below Android 7.0 trust user certificates by default. You can directly install the certificate to the user directory: Settings -> Security -> Encryption and Credentials -> Install Certificate -> CA Certificate, select the exported certificate and install it (authorization verification is required).

2. Rooted device and unlocked system partition

Use the adb command to push the certificate to the system certificate directory. This certificate is in the hash.0 format.

adb root
# restarting adbd as root
adb shell avbctl disable-verification
adb remount
adb push 364618e0.0 /system/etc/security/cacerts/364618e0.0
caution

Since the Android 14 certificate is migrated to the apex module, this solution is only suitable for Android 13 and below.

3. Android project adds trust-anchors

If you are an Android developer and have the project write permission, you can directly install the certificate to the user directory, and then configure the project to trust the user directory certificate.

Step 1: Install the certificate on your phone: Settings -> Security -> Encryption and Credentials -> Install Certificate -> CA Certificate, select the exported certificate and install it (authorization verification is required).

Step 2: Create res/xml/network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
</network-security-config>

Step 3: Config AndroidManifest.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest>
<application android:networkSecurityConfig="@xml/network_security_config">
...
</application>
</manifest>

Please remove this configuration in the release version. For more information about the network security configuration file, please refer to: Android Docs.

4. Android project reduces targetSdkVersion

If you are an Android developer and have the project write permission. You can directly install the certificate to the user directory, and then reduce the project's targetSdkVersion to 23 or below.

Step 1: Install the certificate on the phone: Settings -> Security -> Encryption and Credentials -> Install Certificate -> CA Certificate, select the exported certificate and install it (authorization verification is required).

Step 2: Reduce targetSdkVersion.

android {
defaultConfig {
...
targetSdkVersion 23
...
}
}

5. Use magisk module to install certificate

Reqable app provides a Magisk module package, which can install the certificate to the system directory. It supports Magisk and KernelSU, and supports Android 5+.

caution

After KernelSU is flashed into the device, you may need to grant Reqable root permissions, otherwise the certificate will not take effect.

6. Chrome-based Browsers

Chrome (and subsequently many other Chromium-based browsers) has recently started requiring Certificate Transparency logs for CA certs found in the system certificate store.

Even if the certificate has been successfully installed in the system directory, the NET:ERR_CERTIFICATE_TRANSPARENCY_REQUIRED will still occur. In this case, please remove the certificate from the system directory and install it in the user directory. The Chrome kernel browser will trust the user certificate by default and will not perform CT log verification.

7. Flutter Apps

App developed with the Flutter only trust system certificates, not user directory certificates. This is hardcoded into the framework. Neither configuring network_security_config.xml nor lowering targetSdkVersion will take effect.

iOS

Installing CA certificate on an iOS device is very easy. Just follow the steps below.

First, download and install the description file (certificate). The description file can be saved manually or downloaded through the browser.

  • Manual save: Export the CA certificate, find the exported CA certificate in the Reqable document directory of the file app, and manually copy or move it to the upper directory. After clicking on the certificate, a prompt Description file downloaded will appear.
  • Browser download: Click on the certificate to automatically open the browser to download. After the download is complete, a prompt Description file downloaded will automatically appear.

Step 2: Open Settings -> Downloaded Profile -> Select Reqable CA -> Install the certificate file just downloaded.

Step 3: Trust the certificate, Settings -> General -> About -> Certificate Trust Settings -> Turn on the switch.

Special cases

In some special cases, HTTPS traffic may not be decrypted properly even if the certificate has been installed. Common cases include the following.

  • The network request enables certificate pinning, requiring the server to return a specified certificate.

  • The network request enables two-way verification, requiring the client to upload a certificate to the server for verification.

  • The application uses the built-in CA certificates for verification instead of the system CA certificates.