The first time mitmproxy or mitmdump is run, a set of certificate files for the mitmproxy Certificate Authority are created in the config directory (~/.mitmproxy by default). This CA is used for on-the-fly generation of dummy certificates for SSL interception. Since your browser won't trust the mitmproxy CA out of the box (and rightly so), you will see an SSL cert warning every time you visit a new SSL domain through mitmproxy. When you're testing a single site through a browser, just accepting the bogus SSL cert manually is not too much trouble, but there are a many circumstances where you will want to configure your testing system or browser to trust the mitmproxy CA as a signing root authority.

CA and cert files

The files created by mitmproxy in the .mitmproxy directory are as follows:

mitmproxy-ca.pem The private key and certificate in PEM format.
mitmproxy-ca-cert.pem The certificate in PEM format. Use this to distribute to most non-Windows platforms.
mitmproxy-ca-cert.p12 The certificate in PKCS12 format. For use on Windows.
mitmproxy-ca-cert.cer Same file as .pem, but with an extension expected by some Android devices.

Using a custom certificate

You can use your own certificate by passing the --cert option to mitmproxy.

The certificate file is expected to be in the PEM format. You can generate a certificate in this format using these instructions:

> openssl genrsa -out cert.key 8192
> openssl req -new -x509 -key cert.key -out cert.crt
    (Specify the mitm domain as Common Name, e.g. *.google.com)
> cat cert.key cert.crt > cert.pem
> mitmproxy --cert=cert.pem

Installing the mitmproxy CA