Configuring SSL in Hoverfly

Hoverfly supports both one-way and two-way SSL authentication.

Hoverfly uses default certificate which you should add to your HTTPS client’s trust store for one-way SSL authentication. You have options to provide your own certificate, please see below.

Override default certificate for one-way SSL authentication

In some cases, you may not wish to use Hoverfly’s default SSL certificate. Hoverfly allows you to generate a new certificate and key.

The following command will start a Hoverfly process and create new cert.pem and key.pem files in the current working directory. These newly-created files will be loaded into the running Hoverfly instance.

hoverfly -generate-ca-cert

Optionally, you can provide a custom certificate name and authority:

hoverfly -generate-ca-cert -cert-name tutorial.cert -cert-org "Tutorial Certificate Authority"

Once you have generated cert.pem and key.pem files with Hoverfly, you can use hoverctl to start an instance of Hoverfly using these files.

hoverctl start --certificate cert.pem --key key.pem


Both a certificate and a key file must be supplied. The files must be in unencrypted PEM format.

Configure Hoverfly for two-way SSL authentication

For two-way or mutual SSL authentication, you should provide Hoverfly with a client certificate and a certificate key that you use to authenticate with the remote server.

Two-way SSL authentication is only enabled for request hosts that match the value you provided to the --client-authentication-destination flag. You can also pass a regex pattern if you need to match multiple hosts.

hoverctl start --client-authentication-client-cert cert.pem --client-authentication-client-key key.pem --client-authentication-destination <host name of the remote server>

If you need to provide a CA cert, you can do so using the --client-authentication-ca-cert flag.