WebView2 fails with `net::ERR_CERT_AUTHORITY_INVALID` due to expired “Titanium Root Certificate Authority” (CurrentUser\Root)

[Memory-of-Snow]

Hi, I’m seeing a certificate/TLS failure in ElectronicObserverEN that looks related to an expired locally-trusted root CA used for HTTPS interception.

Environment

• OS: Windows 11
• ElectronicObserver: latest — version (5.3.21.0)
• WebView2 Runtime (Evergreen): 144.0.3719.104
• Microsoft Edge: 144.0.3719.115
• Locale/Timezone: ja-JP, JST (UTC+9)

Symptom

• In ElectronicObserver (WebView2), navigation fails with:
  • net::ERR_CERT_AUTHORITY_INVALID
• The same URL works in Edge (no certificate error).

Certificate findings

When checking the certificate shown inside the WebView2 view, the issuer appears as:

• Issuer: CN=Titanium Root Certificate Authority

In Windows certificate store, I found a trusted root certificate in CurrentUser\Root (not in LocalMachine\Root):

• Subject: CN=Titanium Root Certificate Authority
• Thumbprint: E175275DCCE339BD2C1EA5C04B261F2B84743E59
• HasPrivateKey: True
• NotBefore: 2022-11-03 15:18:21
• NotAfter: 2026-02-06 15:18:21 (JST)

PowerShell output (sanitized user name):

$thumb="E175275DCCE339BD2C1EA5C04B261F2B84743E59"

"=== CurrentUser ==="
Get-ChildItem Cert:\CurrentUser\Root | ? Thumbprint -eq $thumb | fl Subject,Thumbprint,NotBefore,NotAfter

"=== LocalMachine ==="
Get-ChildItem Cert:\LocalMachine\Root | ? Thumbprint -eq $thumb | fl Subject,Thumbprint,NotBefore,NotAfter

=== CurrentUser ===
Subject    : CN=Titanium Root Certificate Authority
Thumbprint : E175275DCCE339BD2C1EA5C04B261F2B84743E59
NotBefore  : 2022/11/03 15:18:21
NotAfter   : 2026/02/06 15:18:21

=== LocalMachine ===
(no results)

Reproduction / behavior

1. Remove the certificate from Cert:\CurrentUser\Root (by thumbprint).
2. Launch ElectronicObserver.
3. The app prompts to install a certificate again.
4. The certificate does not automatically re-appear unless I follow the prompt.

Expected behavior

If a locally-trusted root CA is required for HTTPS interception, I’d expect:

• explicit detection of a missing / expired CA,
• clear user guidance for renew/regenerate the CA when it’s near expiry,
• documentation on scope/risk (e.g., CurrentUser only, what traffic is affected, how to remove it cleanly).

Questions / requests

• Is ElectronicObserver intentionally using a local MITM/proxy approach that requires installing a trusted root CA (showing up as Titanium Root Certificate Authority)?
• If yes, could the app:
  • warn when the CA is expired / expiring soon, and
  • provide a safer, clearer renewal flow and documentation?
• If a CA-less approach is feasible (e.g., WebView2 interception APIs instead of OS-trusted root CA), is there any plan to migrate?

[myangelkamikaze]

Is ElectronicObserver intentionally using a local MITM/proxy approach that requires installing a trusted root CA (showing up as Titanium Root Certificate Authority)?

Yes.

warn when the CA is expired / expiring soon

I guess this could be added.

provide a safer, clearer renewal flow and documentation?

Installing it on startup seems good enough to me.

If a CA-less approach is feasible (e.g., WebView2 interception APIs instead of OS-trusted root CA), is there any plan to migrate?

It has to work with external browser too so it's not really feasible, no.

[Memory-of-Snow]

Thanks — understood.

My main asks are:

1. Please show a warning when the local root CA is expired or expiring soon (ideally include the exact expiration date/time), before navigation fails.

2. Please document the CA lifecycle and recovery steps in a user-accessible place (docs/README/official page) — if this documentation doesn’t already exist — including:

   • that ElectronicObserver uses a local MITM/proxy and requires installing a trusted root CA,
   • where it’s installed (e.g., CurrentUser vs LocalMachine),
   • what to do when the CA expires / is removed / needs re-acceptance (how to renew/regenerate it, and how to remove it cleanly).