To decrypt HTTPS, BusymateHelper installs a private Root CA on the device and asks you to mark it as fully trusted. Until that's done the home screen shows Not Ready and the readiness card walks you through it. This page is the visual, step-by-step version of that flow.
The CA is generated on-device on first launch by BusymateHelper/Services/CertificateManager.swift, written into the App Group, and never leaves the device. iOS treats a user-installed Root CA as untrusted for TLS until you explicitly enable full trust in Settings — that final toggle is the step most people miss, so the walkthrough calls it out.
Watch the full flow
A 54-second narrated screen capture of the full setup on iOS, from Not Ready to All Set — turn your sound on for the step-by-step voice-over.
The five steps
- Tap the readiness card. On the home screen, BusymateHelper shows Not Ready while the CA is missing or untrusted. Tap the card to open the certificate sheet.
- Download the Root CA. The sheet's Download the Root CA button opens Safari and fetches the configuration profile. Tap Allow on the "This website is trying to download a configuration profile" prompt.
- Install the profile. Open Settings → Profile Downloaded → Install. Authenticate, accept the Warning, tap Install again, then confirm on the action sheet. iOS now holds the CA — but still does not trust it for TLS.
- Enable Full Trust. Go to Settings → General → About → Certificate Trust Settings, find the BusymateHelper Root CA, turn on Enable Full Trust, and tap Continue on the confirmation. This is the step that flips iOS from "installed" to "trusted".
- Back in the app: All Set. Return to BusymateHelper. The readiness card re-evaluates trust state and flips to All Set / Ready ✅. You can now turn on the VPN (or configure PAC) and start capturing decrypted HTTPS.
Where the trust check lives
CertificateManager computes the readiness state by checking both that the CA is present in the App Group and that iOS reports it as fully trusted. The home screen's SetupGuideView (see iOS connection modes) renders Not Ready vs All Set off that state, and the dashboard can re-open this same cert sheet remotely via an open-sheet broadcast carrying the cert key (consumed by RemoteSheetController — see BusymateHelper iOS).
The canonical short URLs for the CA itself are https://busymate.net/ca.mobileconfig (the configuration profile the walkthrough installs) and https://busymate.net/ca.pem (the raw PEM, for desktop / proxy-server use).
Where to look next
- iOS connection modes — the readiness card, VPN vs PAC swap, and where this sheet is hosted.
- BusymateHelper iOS — the full app architecture, including
CertificateManagerand the MITM leaf-cert path. - Per-device attribution — how decrypted traffic gets routed to the right device's feed.