For each request using the HTTPS protocol, NeoLoad retrieves the certificate provided by the SSL server. This certificate is essential to ensure secure communication between the proxy and server. Moreover, NeoLoad takes on the role of the server, issuing a certificate that is sent to the browser to secure communication between proxy and client. This certificate, created on-the-fly by NeoLoad during recording, is not recognized by the browser as being valid, since it is not authenticated by any certificate authority. The browser displays messages warning that the certificate provided by the server (in this case NeoLoad) cannot be trusted and that, consequently, the connection cannot be secured.

Importing the authority certificate (root certificate) into NeoLoad enables each certificate generated automatically during recording to be authenticated, thus preventing the display of certificate error messages in the browser. The root certificate is placed in the certificate authorities keystore. The section Install the root certificate details the procedure to follow. Be warned that installing a root certificate in a browser creates a serious security loophole. It is important to have read and fully understood the associated risks for the machine security as set out in Security warning before proceeding.

Certificates used for SSL interception

To capture HTTPS traffic, we implement man-in-the-middle interception. You can either use our self-signed certificate named "Embedded NeoLoad Certificate" or browse to your own that you can add in the HTTP recorder panel in the Edit > Preferences > General Settings of NeoLoad.

The root certificate is created when NeoLoad is first launched and is named NeoLoad_Root_CA.cer. It can be found in the configuration sub-directory of the user profile directory.

In Windows, the configuration directory is accessible from %appdata%, for example:

In Unix/Linux/Mac, the configuration directory is accessible from <$HOME>, for example: