Install our CA certificate
With TLS spoofing on, the edge terminates your TLS and hands back a leaf certificate signed by our CA (nixproxy). Your client rejects it unless our CA is in its trust store. Download the CA from your subscription’s Certificate tab and install it with the steps below.
Why this is needed
Our fingerprint spoofing runs on a man-in-the-middle: in full-spoof mode (Mode 3) the edge terminates your TLS and presents a per-host leaf certificate signed by our certificate authority. A browser or any cert-checking tool rejects that leaf — and errors on every HTTPS site — unless our CA is installed in the machine’s trust store. Installing it once is the missing step that makes browser-grade stealth work for real.
Do I need this?
Install our CA when stealth is ON and your client verifies TLS certificates (browsers, curl, Python requests, most SOCKS5 clients). In full-spoof mode the edge terminates your TLS and hands back a leaf certificate signed by our CA — your client rejects it unless our CA is in its trust store, so you get a certificate error on every HTTPS site. Not needed for non-spoofed / pass-through use.
Step-by-step by target
Windows
Double-click the .cer (DER) file and import it into Trusted Root Certification Authorities, or run (elevated):
certutil -addstore Root nixproxy.cermacOS
Open the .crt in Keychain Access → System, then set it to Always Trust, or run:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain nixproxy.crtLinux
Copy the PEM into the system store and refresh it:
sudo cp nixproxy.crt /usr/local/share/ca-certificates/nixproxy.crtsudo update-ca-certificatesFirefox (uses its OWN store)
Firefox does NOT use the OS trust store. Settings → Privacy & Security → Certificates → View Certificates → Authorities → Import the .crt, and tick "Trust this CA to identify websites." Do this even after installing it on the OS.
curl
Point curl at the PEM for the request:
curl --cacert nixproxy.crt https://example.comPython requests
Point requests at the PEM, per-call or via the environment:
requests.get("https://example.com", verify="nixproxy.crt")export REQUESTS_CA_BUNDLE=/path/to/nixproxy.crtGeneric SOCKS5 client
Point the client's CA bundle / trust-store setting at our PEM so it trusts the leaf the edge presents.
Alternative: disable verification (not recommended)
You can disable certificate verification instead (e.g. curl -k, or requests verify=False) — it works without installing anything. But a real browser always verifies, so verification-off is itself a detection signal and undercuts the "look like a real browser" goal. Install the CA for true browser-grade stealth.
After a CA rotation
If we rotate our root CA, the certificate you installed stops matching the leaf the edge presents and certificate errors return. When that happens, download the new CA from the Certificate tab and re-run the install steps for each tool. The fingerprint shown on the tab lets you confirm you installed the current CA.