# Browser Certificate Installation Guide ## Introduction This manual describes how to install browser certificates for testing access and modifications to sites that are protected by HTTP Strict Transport Security (HSTS). It is assumed that the reader is familiar with the basic steps of deploying configurations within Composable Agentic Platform and knows how to view the console output associated with the Composable Agentic Platform proxy server. When using the Composable Agentic Platform browser proxy for accessing secure web sites over HTTPS, you will encounter certificate warning in the browser, just like the following:

These warning are relatively easy to get around by clicking on the **Advanced** button and adding an exception. However, with the advent of HTTP Strict Transport Security (HSTS) this has now become impossible to do as the browser will refuse to add the exception:

Not possible to add an exception for the certificate

The following guide provides instructions on how to overcome this problem by installing a trusted certificate authority into your browser that Composable Agentic Platform in turn will use to generate valid replacement certificates for each SSL site on the fly. ## Getting started Before you begin you should make some updates to your Composable Agentic Platform installation. ### Required Updates The first step is to update/install the following components via the update server: * `Composable Agentic Platform console (10.0.0:21050 or later)` * `Base Rules (2021-07-16 or later)` * `BIP Runtime (2018-08-07 or later)` * `HTTP Rules (2021-07-15 or later)` ### Locating the certificate After the BIP Runtime extension has been installed, locate the folder named ‘**Certificates**’ under the Composable Agentic Platform Server installation: ![Certificates folder](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-dbc059333a91c283d1fb0ba5834568ed61726a34%2F4.png?alt=media) Our certificate is found in that folder with the name: **`root.pem`** ## Installing the certificate in Firefox To install the certificate authority in Firefox, start by selecting **Options** from the main menu: ![Firefox Settings](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-6cfcf64c0f7655cdb596665711661c77fd26a17b%2F5.png?alt=media) The select the **Privacy & Security** section and click **View Certificates**: ![View Certificates in Privacy & Security tab](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-17ca0580260c880c7f61f94c575c49349ecd5e01%2F6.png?alt=media) In the certificate manger, select the **Authorities** tab: ![Authorities tab in Certificate Manager](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-a88d3c45a64c6243e50616099c6b1c518131a87c%2F7.png?alt=media) Click on **Import**… then open the\*\*`root.pem`\*\* file from the location described earlier (the Certificates folder). You will be given the option to select the level of trust for the certificate. Select “**Trust this CA to identify websites**” and click on **OK**: ![Trust new Certificate Authority](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-a7f073274495b712a928be9985fe4b5755769f8d%2F8.png?alt=media) Click on **OK** again to close the certificate manager. ## Routing Firefox through the Composable Agentic Platform browser proxy To be able to see traffic flowing between Firefox and your target site, you must configure Firefox to use the proxy. Under the **Options** **Advanced** settings, select the **Network** tab and click on **Settings.** ![Browser Network Settings](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-b1839cee1faad92ed6961cd816b02a4616f1b492%2F9.png?alt=media) Configure the proxy as shown and click on OK:

You can now close the Settings tab in Firefox. The certificate is now installed, and you are ready to see traffic. ## Installing the certificate in Chrome/Edge for Windows Please note that by using the Chrome installation method, other browsers *(such as the Microsoft Edge browser will be affected as well).* We will therefore only show the Chrome approach. Important: To install the certificate, the user MUST have administrative privileges on the system. In the Chrome browser, select Settings: ![Chrome Settings](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-9519c5710aefc054f4c65e0caaa192997a49e983%2F11.png?alt=media) Scroll down the page that appears and click on **Privacy and Security** Locate the **HTTPS/SSL** section and click **Manage certificates…** ![Manage Certificates](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-194bcdaa2a4d55fe35ba0ef7b1752dffaa795b41%2F12.png?alt=media) In the dialog box that appears, navigate to the **Trusted Root Certification Authorities** tab and click on **Import.** ![Trusted Root Certification Authorities](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-cfa3e75ae8bf2768ba5027c27a46dcdcc46bf688%2F13.png?alt=media) This takes you to the certificate import wizard:

Click on **Next** ![Specify file for certificate](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-b712d6dfe1e9079e4d166b506fb95e850f62ad11%2F15.png?alt=media) Important: PEM files are not available as a default filter. To locate the file, select **All Files (\*.\*)**: ![Select poot.pen file from certificates](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-3dc164d026344799e8d9e9cb197a8293ad08db62%2F16.png?alt=media) Locate and select the `root.pem` file, then click on **Open** The file name now appears in the Certificate Import Wizard and you can click on **Next**. Select the certificate store as shown and click on **Next**:

You will be presented with a review page. Click on **Finish**. A security warning appears. Make sure you click on **Yes**: ![Security Warning window](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-417764e830ac42ee8ee770b815e0647730576fec%2F18.png?alt=media) The certificate will be imported: ![Successful message for certificate import](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-9a4dd50b2525b91bb7d8de054644cc7063051c30%2F19.png?alt=media) Close the certificates list: ![Certificate list window](https://2423451286-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F42mDa58RoaDxb6t8mbaI%2Fuploads%2Fgit-blob-522b9334fde05210e4f931cda77ad94538d246bb%2F20.png?alt=media) ## Routing Chrome/Edge through the Composable Agentic Platform browser proxy Please note that by using the Chrome installation method, other browsers *(such as the Microsoft Edge browser will be affected as well)*. We will therefore only show the Chrome approach. Within the Chrome advanced settings, locate Network and click on **Change proxy settings…**

In the internet properties that appears, click on **LAN settings**:

Set the proxy server as shown and click on **OK**:

Then click **OK** again to close the internet properties and close the Settings tab in Chrome. The certificate is now installed and you are ready to see traffic. ## Installing the certificate into the OSX Key Chain for Safari and Chrome Please note that both Safari and Chrome use the same certificate store so this installation applies to both. To install the certificate, navigate to the Certificates folder and double-click on the **`root.pem`** file. The Keychain Access utility will launch and requires you to enter your Admin User credentials:

Enter your password and click on **Modify Keychain** This will launch the **Keychain Access** utility with the certificate imported into the System keychain:

Double-Click on the TomorrowX CA certificate to bring up the details:

Expand the **Trust** option and set the drop-down ‘When using this certificate’ to **Always Trust:**

Close the pop-up details window and enter your administrator password to update. The entry will now have a blue circle with a white cross to indicate a trusted certificate and will have the following text: “This certificate is marked as trusted for all users”:

TomorrowX CA marked as trusted for all users

## Testing the certificate installation Now that your certificate is installed, switch to the Composable Agentic Platform console, select the Product Trial repository and deploy the BasicWebLister configuration to the proxy server. Wait for the proxy server to start. You are now ready to test if you can bypass HTTP Strict Transport Security (HSTS) protection. In your browser go to [https://www.google.com](https://www.google.com/) Google should load as normal:

And you should see traffic in the proxy console: