Certificates PRO

Pro. Certificates are part of HTTPBot Pro (Advanced Auth & Certificates). You can view and edit existing certificates for free, but adding a new one requires Pro.

Some servers need more than a username and password to talk to them. HTTPBot's certificate support covers two needs:

Together with the Verify SSL toggle in request settings, these let you work against mutually-authenticated APIs, internal staging servers, and self-signed development boxes.

Where to manage certificates

Open Settings → Certificates. You can also reach the same screen from a request's menu → Certificates.

The Certificates screen has two sections: CA Certificate and Client Certificates.

The Certificates screen showing the CA Certificate and Client Certificates sections.The Certificates screen showing the CA Certificate and Client Certificates sections.The Certificates screen showing the CA Certificate and Client Certificates sections.

Client certificates (mTLS)

A client certificate lets HTTPBot authenticate itself to a server during the TLS handshake — common for mutual-TLS (mTLS) APIs. HTTPBot stores each client certificate with a host and port so it knows which servers to present it to.

Adding a client certificate

  1. On the Certificates screen, tap Add Client Certificate… (or the + button).
  2. Fill in the Details:
    • Name — optional label to recognize the certificate.
    • Host — the server hostname this certificate is for, e.g. api.example.com. Wildcards are supported, for example *.example.com.
    • Port — defaults to 443.
  3. Provide the certificate material in one of two ways:
    • PFX / PKCS#12 — choose a single .p12 / .pfx bundle.
    • CRT + Key — choose a certificate file (.crt / .pem) and its separate private key (.key / .pem).
  4. Add a Passphrase if the file is encrypted.
  5. Save.

The client certificate editor with Details and Certificate sections.The client certificate editor with Details and Certificate sections.The client certificate editor with Details and Certificate sections.

You provide either a PFX bundle or both a certificate and its private key — not both kinds at once.

How matching works

Each saved client certificate auto-attaches to any request whose host (and port) matches what you configured. You don't pick a certificate per request — set the host once and HTTPBot presents it automatically to matching servers. Wildcard hosts like *.example.com let one certificate cover multiple subdomains.

Certificate details and expiry

After import, HTTPBot reads and displays the certificate's metadata so you can confirm you imported the right one:

In the list, a client certificate is flagged Expired if its validity has passed, or Not yet valid if its start date is in the future — a quick way to spot a certificate that won't work before you hit a failed handshake.

A client certificate row showing a red "Expired" chipA client certificate row showing a red "Expired" chipA client certificate row showing a red "Expired" chip

CA certificates

A CA (certificate authority) bundle tells HTTPBot which additional authorities to trust when verifying server certificates. Import one when you work against a server whose certificate is signed by a private/internal CA, or a self-signed development server, that isn't in the system's default trust store.

Importing a CA bundle

  1. On the Certificates screen, tap Import CA Bundle….
  2. Select a PEM bundle file.
  3. Save.

HTTPBot reports how many trust anchors (certificates) the bundle contains. The CA bundle is trusted for all requests, in addition to the system trust store — so you keep validating against normal public CAs and your imported one.

To stop trusting it, open the CA section and choose Remove CA Bundle. After removal, requests fall back to validating server certificates using the system trust store only.

The CA Certificate section after importing a bundle, showing the trust-anchor count.The CA Certificate section after importing a bundle, showing the trust-anchor count.The CA Certificate section after importing a bundle, showing the trust-anchor count.

SSL verification

Each request has a Verify SSL toggle in its settings (see Request Settings). It controls whether HTTPBot validates the server's TLS certificate:

Turning Verify SSL off applies to WebSocket connections too, so you can connect to self-signed wss:// endpoints (see WebSockets). A client certificate still attaches even when Verify SSL is off — handy for self-signed mTLS dev servers.

The Verify SSL toggle in a request's settings.The Verify SSL toggle in a request's settings.The Verify SSL toggle in a request's settings.

Choosing between them

Related