Troubleshoot macOS Trust Certificate Issues

Environment

Product Fiddler Everywhere
Product Version 1.0.0 and above
Supported OS macOS
OS tool Keychain Access

Description

To capture secure traffic (HTTPS), Fiddler Everywhere needs to install and enable a root trust certificate in macOS's Keychain Access application. On some occasions, this process might fail, leading to an error in the Fiddler Everywhere client, which states "Fiddler root certificate NOT trusted successfully". This article explains how to troubleshoot the certificate installation on macOS via custom bash scripts and terminal commands.

Test Certificate Import

To test importing the Fiddler Root certificate with a Bash script, execute the following steps:

  1. Create a Bash file, for example, import.sh.

  2. Save the following script in the above file:

    login_keychains_paths=$(security list-keychains | grep -e "\Wlogin.keychain\W");
    
    if [ -z "$login_keychains_paths" ]
        then
            echo "No login keychain found.";
            exit 10;
    fi
    security add-trusted-cert -k login.keychain ~/Desktop/FiddlerRootCertificate.crt;
    
    security_exit_code=$?;
    if [ $security_exit_code -ne 0 ]
        then
            echo "security add-trusted-cert failed with error code $security_exit_code";
    fi
    
  3. Make the import.sh file executable.

    chmod +x import.sh
    
  4. Execute the created file in your Bash shell.

    ./import.sh
    

    After successful execution, you will be prompted for your macOS username and password. Enter the credentials, and the generated trust certificate will be added in the Keychain Access application (under login > Certificates as DO_NOT_TRUST_FiddlerRoot).

  5. Test that the certificate generated from Fiddler is successfully installed and trusted by running the following command in your Bash shell:

    security trust-settings-export /tmp/trustSettings.xml
    

    When successful, the command should output a success message:

    ...Trust Settings exported successfully.
    
  6. Confirm that the DO_NOT_TRUST_FiddlerRoot is present in the Keychain Access application (under login > Certificates). Double click on the certificate, scroll to the bottom and note the SHA-1 value. Open the exported settings file from _ /tmp/trustSettings.xml_ and check that the SHA-1 value is present there. For example, the certificate from your Keychain Access application (see the screenshot) should be identical to the SHA1

    The SHA1 key in trustSettings.xml file should also be present in the Keychain Access

    <key>68E0B8FE34DF4A756B664E300B067CA9A1B9DE8</key>
    

    Check SHA1 signature

    You can safely delete the /tmp/trustSettings.xml file after the troubleshooting. It is only needed to check that the SHA-1 key is properly exported.

See Also

In this article