Certificates PRO
Pro. Certificates are part of HTTPBot Pro (Advanced Auth & Certificates). You can view and edit existing certificates for free, but adding a new one requires Pro.
Some servers need more than a username and password to talk to them. HTTPBot's certificate support covers two needs:
- Client certificates (mTLS) — present a certificate to the server to prove who you are.
- CA certificates — tell HTTPBot to trust a custom or internal certificate authority so it can verify the server.
Together with the Verify SSL toggle in request settings, these let you work against mutually-authenticated APIs, internal staging servers, and self-signed development boxes.
Where to manage certificates
Open Settings → Certificates. You can also reach the same screen from a request's … menu → Certificates.
The Certificates screen has two sections: CA Certificate and Client Certificates.



Client certificates (mTLS)
A client certificate lets HTTPBot authenticate itself to a server during the TLS handshake — common for mutual-TLS (mTLS) APIs. HTTPBot stores each client certificate with a host and port so it knows which servers to present it to.
Adding a client certificate
- On the Certificates screen, tap Add Client Certificate… (or the + button).
- Fill in the Details:
- Name — optional label to recognize the certificate.
- Host — the server hostname this certificate is for, e.g.
api.example.com. Wildcards are supported, for example*.example.com. - Port — defaults to
443.
- Provide the certificate material in one of two ways:
- PFX / PKCS#12 — choose a single
.p12/.pfxbundle. - CRT + Key — choose a certificate file (
.crt/.pem) and its separate private key (.key/.pem).
- PFX / PKCS#12 — choose a single
- Add a Passphrase if the file is encrypted.
- Save.



You provide either a PFX bundle or both a certificate and its private key — not both kinds at once.
How matching works
Each saved client certificate auto-attaches to any request whose host (and port) matches what you configured. You don't pick a certificate per request — set the host once and HTTPBot presents it automatically to matching servers. Wildcard hosts like *.example.com let one certificate cover multiple subdomains.
Certificate details and expiry
After import, HTTPBot reads and displays the certificate's metadata so you can confirm you imported the right one:
- Subject and Issuer
- Valid From and Expires dates
In the list, a client certificate is flagged Expired if its validity has passed, or Not yet valid if its start date is in the future — a quick way to spot a certificate that won't work before you hit a failed handshake.



CA certificates
A CA (certificate authority) bundle tells HTTPBot which additional authorities to trust when verifying server certificates. Import one when you work against a server whose certificate is signed by a private/internal CA, or a self-signed development server, that isn't in the system's default trust store.
Importing a CA bundle
- On the Certificates screen, tap Import CA Bundle….
- Select a PEM bundle file.
- Save.
HTTPBot reports how many trust anchors (certificates) the bundle contains. The CA bundle is trusted for all requests, in addition to the system trust store — so you keep validating against normal public CAs and your imported one.
To stop trusting it, open the CA section and choose Remove CA Bundle. After removal, requests fall back to validating server certificates using the system trust store only.



SSL verification
Each request has a Verify SSL toggle in its settings (see Request Settings). It controls whether HTTPBot validates the server's TLS certificate:
- Verify SSL on (default) — the server certificate must be trusted, by the system trust store and any CA bundle you've imported. An untrusted certificate fails the request. The fix is usually to import the server's CA, or to turn the toggle off for that request.
- Verify SSL off — HTTPBot skips server-certificate validation, allowing self-signed certificates. This is a deliberate kill-switch: when it's off, it takes precedence over an imported CA bundle. Use it for local development against servers you control.
Turning Verify SSL off applies to WebSocket connections too, so you can connect to self-signed wss:// endpoints (see WebSockets). A client certificate still attaches even when Verify SSL is off — handy for self-signed mTLS dev servers.



Choosing between them
- Connecting to an internal or self-signed server you'll use repeatedly? Import its CA bundle so verification keeps passing without weakening other requests.
- Just need a quick one-off against a self-signed box? Turn off Verify SSL for that request.
Related
- Request Settings — the Verify SSL toggle
- WebSockets — SSL verification for
wss://connections - Authentication — other ways to authenticate requests