Skip to main content

Trusting the root CA certificate

The root CA certificate generated by Hetty is used for signing on-the-fly TLS certificates when Hetty proxies with machine-in-the-middle (MITM) behavior. By default, this root CA certificate isn’t trusted by your system and browser. It results in warnings and/or blocked access from your browser.

Aside from starting Hetty with the --chrome option (see: Getting Started), you can add the root CA certificate to your system’s trust store. The quickest way to do this is via a built-in subcommand of Hetty:

hetty cert install

When invoked without options, it looks for the root CA certificate at ~/.hetty/hetty_cert.pem. you can use the --cert option to override this.

Depending on your OS, you’ll be prompted for sudo access. hetty cert uses the Go package truststore, in case you want to inspect what it does under the hood.

If you don’t feel comfortable granting privileged access to Hetty, you can also manually trust the root CA certificate (default location: ~/.hetty/hetty_cert.pem). Instructions vary per OS, but can be easily found via a search engine.