While testing the proxy support in the plugin with mitmproxy we've noticed that the REST client does not fallback to the OS trusted certificates if it can't find anything in the JVM's default keystore.

Mitmproxy uses self-signed certificates, and it's usually simpler to add the certificate required to the operating system's certificate trust store rather than Toolbox JVM's default keystore. However, by default, JVM-based applications use only the JVM's default keystore, which means connecting to servers will fail due to not trusting the certificate presented.

Ideally, the plugin cascades in the following order:

• JVM's default keystore
• Coder configured CA (available in the Settings page under TLS section)
• OS trusted keystore