Using Custom Certificates

For individual developers who do not have an enterprise certificate and do not want to use ApiCatcher's provided certificates, you can leverage ApiCatcher's Enterprise Certificate feature to import your own custom certificates.

A Use Case on How to Use It

Preparation

Environment: Local Area Network (LAN) Devices: Mac, iPhone Software installed on Mac: OpenSSL

Steps

On your computer, generate: a self-signed root CA + a server certificate for access (certificate + private key).
Install the root CA on your iPhone and fully trust it (similar to installing the ApiCatcher root certificate).
Use this server certificate in your local HTTPS service.
In ApiCatcher's Enterprise Certificate - Add Certificate page, import the Certificate PEM + Private Key PEM, and enter the Host from the CONNECT request in the domain field (using a LAN IP in this example).
Connect your iPhone to the same Wi-Fi and turn on the ApiCatcher VPN.
Visit https://<Your IP>:8443 in Safari, and check the capture logs to see if the HTTPS traffic is decrypted.

1. Prepare Certificates on Mac (OpenSSL)

Working directory:

mkdir -p ~/apicatcher-enterprise-test && cd ~/apicatcher-enterprise-test

Replace 192.168.1.75 below with your Mac's LAN IP (can be found in System Settings → Network).


# Create self-signed root CA
openssl req -x509 -newkey rsa:2048 -sha256 -days 3650 \
  -keyout ca-key.pem -out ca-cert.pem -nodes \
  -subj "/CN=ApiCatcher Local Test CA"

# Private key for server certificate
openssl genrsa -out server-key.pem 2048

# Configuration with SAN (Modify CN and IP.1 to match your IP)
cat > server.cnf <<'EOF'
[req]
distinguished_name = dn
req_extensions = v3_req
prompt = no

[dn]
CN = 192.168.1.75

[v3_req]
subjectAltName = @alt_names
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[alt_names]
IP.1 = 192.168.1.75
EOF

# CSR + Issue server certificate using CA
openssl req -new -key server-key.pem -out server.csr -config server.cnf
openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem \
  -CAcreateserial -out server-cert.pem -days 825 -sha256 \
  -extensions v3_req -extfile server.cnf

You will get:

File	Purpose
`server-cert.pem`	Paste into App's Certificate PEM
`server-key.pem`	Paste into App's Private Key PEM
`ca-cert.pem`	Send to iPhone to install and trust

2. Install Root CA on iPhone

Send ca-cert.pem to your phone (via AirDrop, email, or simple web server download).
Install the profile in Settings → General → VPN & Device Management.
Go to Settings → General → About → Certificate Trust Settings and enable full trust for this root CA.

3. Start a Local HTTPS Service on Mac

In the same directory:

## Use OpenSSL's built-in https server
openssl s_server -accept 8443 -www \
  -cert server-cert.pem -key server-key.pem

Keep the terminal running.

4. Configure Enterprise Certificate in App

Stop the VPN capture first.
Settings → Enterprise Certificate → Add Certificate → PEM:
- Certificate: The full content of server-cert.pem
- Private Key: The full content of server-key.pem
Domain Pattern: Enter 192.168.1.75 (must exactly match the Host in Safari's address bar, without port).
Save and restart VPN capture.

5. Access from iPhone

Open in Safari: https://192.168.1.75:8443 (If there is a certificate warning, ensure the root CA is "fully trusted" and the address matches the IP in the certificate.)

Check the record in ApiCatcher: HTTPS content should be decrypted (at least showing the request path/method, rather than just a plain tunnel).

6. Common Issues

Issue	Solution
Cannot connect	Ensure firewall allows 8443; Mac and iPhone are on the same subnet.
Still not decrypted	Check if the domain is exactly `192.168.1.75`; Ensure you restarted capture after importing.
Safari certificate error	Root CA is not trusted, or SAN is missing the requested IP.

7. Using Domain Name Access

You only need to replace the IP in the example (in all steps) with your domain name to access via domain.