CA certificate¶
yorishiro-proxy performs HTTPS interception (MITM) by dynamically generating server certificates signed by its own CA. To inspect HTTPS traffic, you must install this CA certificate in your operating system or browser trust store.
Automatic generation¶
On first startup, the CA certificate is automatically generated and saved to:
No manual action is required to generate the CA -- it is created the first time yorishiro-proxy runs.
Tip
Running yorishiro-proxy install ca --trust generates the CA certificate and registers it in your OS trust store automatically. On Linux it additionally registers the CA into the per-user NSSDB so Chromium and Firefox trust intercepted traffic out of the box (USK-857). You can skip the manual steps below.
Check the CA certificate path¶
Use the query tool to confirm the CA certificate location:
The response includes cert_path (file path) and fingerprint (SHA-256 hash) fields.
OS-specific installation¶
sudo cp ~/.yorishiro-proxy/ca/ca.crt \
/usr/local/share/ca-certificates/yorishiro-proxy.crt
sudo update-ca-certificates
Chromium and Firefox on Linux read their own per-user NSSDB rather than the OS trust store. yorishiro-proxy install ca --trust registers the CA there automatically (USK-857). If you installed the CA manually instead, register it explicitly with certutil:
mkdir -p "$HOME/.pki/nssdb"
certutil -d sql:"$HOME/.pki/nssdb" \
-A -t "C,," -n "yorishiro-proxy" \
-i ~/.yorishiro-proxy/ca/ca.crt
certutil is provided by libnss3-tools on Debian/Ubuntu and nss-tools on Fedora/RHEL.
Alternative: skip CA installation with playwright-cli¶
If you are using playwright-cli for browser automation, you can skip CA certificate installation by enabling ignoreHTTPSErrors in the playwright configuration. This tells the browser to accept any certificate without verification.
Create .playwright/cli.config.json in your project root:
{
"browser": {
"browserName": "chromium",
"launchOptions": {
"channel": "chromium",
"proxy": {
"server": "http://127.0.0.1:8080"
}
},
"contextOptions": {
"ignoreHTTPSErrors": true
}
}
}
With this configuration, playwright-cli will route traffic through the proxy and accept yorishiro-proxy's dynamically generated certificates without needing to install the CA in the OS trust store.
Ephemeral CA¶
If you do not want to persist the CA certificate to disk, use the -ca-ephemeral flag:
{
"mcpServers": {
"yorishiro-proxy": {
"command": "/path/to/bin/yorishiro-proxy",
"args": ["server", "-stdio-mcp", "-ca-ephemeral"]
}
}
}
An ephemeral CA is generated in memory on each launch. This is useful for testing, but the certificate changes on every restart, so you cannot install it in a trust store.
Next steps¶
- First capture -- capture your first traffic
- HTTPS MITM -- how HTTPS interception works
- TLS configuration -- advanced TLS settings