Trust the certificate

Install and fully trust the Busymate Root CA so HTTPS bodies can be decrypted.

To read inside HTTPS, BusymateHelper has to decrypt it — and that only works if the device trusts the app's Root CA certificate. iOS makes this a deliberate two-step process, and the app's readiness card tells you exactly when you're done.

Why this is needed

HTTPS is encrypted end to end. To show you the contents of a request, BusymateHelper acts as a trusted middle layer: it presents your device with a certificate it signed itself for each decrypted host. Your device will only accept those certificates if it fully trusts the Busymate Root CA that signed them.

Until that trust is in place, the home screen shows Setup incomplete in place of the capture controls — because neither VPN nor PAC mode can decrypt anything without it.

Note: Only the domains in your SSL-proxy list are ever decrypted. Trusting the CA doesn't open up everything — it just makes decryption possible for the hosts you've chosen.

The readiness card

At the bottom of the home screen is a readiness card:

  • Yellow shield — "Not Ready" — the certificate isn't installed and trusted yet. Tap the card to open the setup steps.
  • Green shield — "Ready" — "Certificate installed and trusted." You're done.

iOS can't notify the app when you install or trust a profile in Settings, so while the setup sheet (or home screen) is open, the app re-checks trust on a short timer and on every return to the foreground. Each step flips its checkmark live, and the card turns green on its own once all of them pass — no manual confirm.

Step 1 — Install the profile

Open the setup sheet from the readiness card and tap Download.

  1. The app fetches the shared Busymate Root CA and writes it locally, then opens Safari to the configuration profile at:

    https://busymate.net/ca.mobileconfig

    (The same short URL works at dash.busymate.net/ca.mobileconfig, and the raw PEM is at https://busymate.net/ca.pem.)

  2. iOS shows a "Profile Downloaded" banner. Open the Settings app, tap that banner near the top, then tap Install on the BusymateHelper profile.

Step 2 — Turn on full trust

Installing the profile is not enough — iOS requires a separate, explicit trust toggle for any user-installed root CA. This is the step people most often miss.

Go to:

Settings → General → About → Certificate Trust Settings

Find BusymateHelper under "Enable Full Trust For Root Certificates" and switch it on.

Heads up: If the readiness card stays yellow, this is almost always the cause — the profile is installed but full trust is still off. Double-check the toggle above.

You're done

Once the profile is installed and full trust is on, the readiness card turns green within a second or two. The home screen swaps Setup incomplete for the VPN and PAC controls, and you're ready to pick a capture mode.

Tip: The installed profile and trust toggle live in the OS keychain, so they survive an app reinstall. After reinstalling, BusymateHelper quietly re-fetches its copy of the CA and the readiness card goes green again without you re-walking these steps.

For the full picture of what each step does under the hood — the shared CA, why both clients trust one root, and the trust evaluation the app runs — see the certificate setup deep-dive.

Install & pairVPN vs PAC modes