Install the certificate

ProxyPro generates a private root CA on first launch and signs a fresh leaf cert for every HTTPS host you visit. Your browser only accepts those leaf certs if it trusts the root.

The CA lives at:

~/Library/Application Support/ProxyPro/ca/root.pem      (cert)
~/Library/Application Support/ProxyPro/ca/root.key.pem  (key, mode 0600)

macOS — two keychains, two scopes

Login keychain is not enough for Chrome

Chrome on macOS reads trust from the System keychain, not the login keychain. Installing via the in-app button alone will leave Chrome rejecting the cert with NET::ERR_CERT_AUTHORITY_INVALID. You need the sudo command below.

Login keychain (built-in)

Click Install to Keychain in the Cert panel of the app. It runs:

security add-trusted-cert -r trustRoot \
  -k ~/Library/Keychains/login.keychain-db \
  ~/Library/Application\ Support/ProxyPro/ca/root.pem

Used by: Safari, Mail, most native Cocoa apps respecting user trust. Not used by: Chrome, Chromium, Edge.

System keychain (Chrome, Firefox NSS)

sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain \
  ~/Library/Application\ Support/ProxyPro/ca/root.pem

The -d flag adds the cert to the admin (system) domain. Used by Chrome, Edge, Chromium, and apps that prefer system trust.

Firefox uses its own NSS store; see the Firefox tab.

Firefox (NSS store)

Firefox bundles its own CA store and ignores both keychains.

1. Visit about:preferences#privacy
2. Scroll to Certificates → View Certificates
3. Authorities → Import
4. Select ~/Library/Application Support/ProxyPro/ca/root.pem
5. Check Trust this CA to identify websites

Verify it worked

After restarting the browser:

curl -sS --proxy http://127.0.0.1:9090 https://example.com -o /dev/null -w "%{http_code}\n"
# expect: 200

In Chrome, visit chrome://settings/security → Manage certificates → Trust Store → search “ProxyPro”. The cert should appear with trust enabled for SSL.

Uninstall

# Remove from System keychain (if installed there)
sudo security delete-certificate -c "ProxyPro Root CA" /Library/Keychains/System.keychain

# Remove from login keychain
security delete-certificate -c "ProxyPro Root CA" ~/Library/Keychains/login.keychain-db

# Optionally delete the on-disk CA files
rm -rf ~/Library/Application\ Support/ProxyPro/ca/

The next launch will generate a fresh CA. You’ll need to re-trust it.

Why the cert keeps regenerating

It doesn’t — the CA files are persisted under Application Support and reused across launches. If you see a new fingerprint on every boot, you have a stale dev process holding the previous CA in memory while a new one regenerates. Run:

pkill -f proxypro-engine
pkill -f "electron.*proxypro"

then relaunch.