Most interception sessions use the default Fluxzy CA, which is fine when the only client is your own browser or test harness. When a real device or a hardened application is in the loop, presenting a precise certificate becomes the difference between a successful capture and a TLS error you cannot debug.
Use useCertificateAction when Fluxzy should present a specific server certificate to the client instead of the dynamically generated one signed by the Fluxzy CA. This is useful when:
The certificate is retrieved using one of three modes: by serial number from the user store, by thumbprint from the user store, or from a PKCS#12 file with its password. The action evaluates on the onAuthorityReceived scope, so it runs before the TLS handshake.
Pick a certificate already installed on the host machine. Portable on Windows and macOS, where the user store is widely used.
rules:
- filter:
typeKind: HostFilter
pattern: api.example.com
actions:
- typeKind: UseCertificateAction
serverCertificate:
retrieveMode: FromUserStoreThumbPrint
thumbPrint: 9b74a1d3f8e2c47c0b6e2bb4f6c5c2e1a7f0d3b9
Best suited for containers and CI runners where there is no user store. Keep the password out of the file itself when you can.
rules:
- filter:
typeKind: AnyFilter
actions:
- typeKind: UseCertificateAction
serverCertificate:
retrieveMode: FromPkcs12
pkcs12File: /etc/fluxzy/server.p12
pkcs12Password: changeit
Useful when several certificates share a common name but only the serial number is stable across renewals.
rules:
- filter:
typeKind: HostFilter
pattern: internal.example.com
actions:
- typeKind: UseCertificateAction
serverCertificate:
retrieveMode: FromUserStoreSerialNumber
serialNumber: 00a1b2c3d4e5f6
Use a specific server certificate. Certificate can be retrieved from user store or from a PKCS12 file
Evaluation scope defines the timing where this filter will be applied.
onAuthorityReceived This scope denotes the moment fluxzy is aware the destination authority. In a regular proxy connection, it will occur the moment where fluxzy parsed the CONNECT request.
useCertificateAction
The following table describes the customizable properties available for this action:
| Property | Type | Description | DefaultValue |
|---|---|---|---|
| serverCertificate.retrieveMode | fluxzyDefault | fromUserStoreSerialNumber | fromUserStoreThumbPrint | fromPkcs12 | Retrieve mode | |
| serverCertificate.serialNumber | string | Serial number of a certificate available on user store | |
| serverCertificate.thumbPrint | string | Thumbprint of a certificate available on user store (hex format) | |
| serverCertificate.pkcs12File | string | Path to a PKCS#12 certificate | |
| serverCertificate.pkcs12Password | string | Certificate passphrase when Pkcs12File is defined |
The following examples apply this action to any exchanges
Use a certificate with serial number xxxxxx retrieved from for local user as a server certificate.
rules:
- filter:
typeKind: AnyFilter
actions:
- typeKind: UseCertificateAction
serverCertificate:
retrieveMode: FromUserStoreSerialNumber
serialNumber: xxxxxx
View definition of UseCertificateAction for .NET integration.
This action has no related action
useCertificateAction overrides the server side certificate that Fluxzy presents to the client. setClientCertificateAction picks the client side certificate that Fluxzy sends to the upstream server during mTLS.
Linux does not have a native user store, so the PKCS#12 mode is the practical option. Provide the path to a .p12 or .pfx file together with the password.
The client may reject the connection. Either provide a certificate whose Subject Alternative Names cover the host, or, when reproducing a failure scenario on purpose, expect the client to report a validation error.
Yes. Fluxzy reuses the loaded certificate for the lifetime of the rule. Restart the proxy or change the rule if you rotate the file on disk.