This guide shows how to find and install the exact TLS certificate Mortal Kombat 11 needs for online connectivity without mass-importing hundreds of unnecessary root certs.

It uses Wireshark (to capture the handshake) and OpenSSL (to decode the certificate).

---


1) Install Wireshark
https://www.wireshark.org/
During setup, make sure Npcap is checked so packets can be captured.

2) Install OpenSSL
Download: https://slproweb.com/products/Win32OpenSSL.html
Found This Tutorial: YouTube Walk-through

3) Pause heavy network activity (Steam downloads, browsers, etc.) to keep captures clean.
4) Disable VPN / antivirus TLS interception. They can rewrite certificates and break the trace.

---


1) Identify the game’s host
• Open Resource Monitor > Network > expand TCP Connections
• Launch MK11 and find its process. There may be numerous processes for MK11.
• Find and note the MK11 process with a PID and Remote Address (example: PID = 11900, Address = 98.91.14.202)
• Close the game once you have them.

2) Start capturing in Wireshark
• Launch Wireshark.
• Double-click your active interface (Wi-Fi if wireless, Ethernet if wired).

3) Apply a display filter:

(Replace the 98.91.14.202 with the MK11 remote address you found earlier)
Then go to Capture > Restart to apply the filter.

✅ You’ll see packet counts rising but "Displayed: 0" that’s fine, only TLS traffic will appear.

4) Reproduce the issue
• Start MK11 again and attempt to select the option for Online Match (doing so may CTD which is fine).
• Once the attempt is done, it should be logged based on your action so close the game.

5) Locate the handshake
• In Wireshark, find a packet whose Info field reads:
Certificate, Server Hello Done
• Double-click it.
• Expand Transport Layer Security (and find)
• TLSv1.2 Record Layer: Handshake Protocol: Certificate (and find)
• Handshake Protocol: Certificate

6) Copy the leaf certificate
• Expand Certificates.
• Select the top most certificate entry (should look like "Certificate [...]: Lots of characters").
• Right-click then Copy and ...as Hex Dump.

7) Clean up the hex
• Paste into Notepad++.
• Remove ONLY the leading ADDRESSES (0000, 0010, etc.) and SPACES.
• Each line should look something like this without the leading addresses and spaces:

• Save as leaf.hex.

8) Convert HEX to DER
Open Command Prompt in that folder:

9) Verify the certificate

If you see Certificate details and an Issuer / Subject, it decoded correctly.

10) Import the certificate (GUI method)
1. Win + R > mmc > Enter
2. File > Add/Remove Snap-in > Certificates > Add
3. Choose Computer account "Example: (Certificates (Local Computer))" > Next > Finish
4. Expand and make sure to select the chosen account from step 3. I chose the Local Computer option:
5. Right-click Certificates > All Tasks > Import…
6. Browse to your leaf.der, follow the wizard, finish.

---

✅ Done! Launch MK11 and test Online mode.
If it still fails, double-check that your system already trusts the Go Daddy Secure Certificate Authority - G2 intermediate and the Go Daddy Root Certificate Authority.
Most Windows systems include them by default.

---

• This cert CN=*.wbagora is what MK11’s servers present.
• Import into Intermediate CA, not Root.
• No need to mass-import from Windows Update.

• (MK11 still desyncs mid-game in online matches).
  This happens after the TLS handshake, so it’s not caused by missing certificates.
  Your system already accepted the required cert to establish the connection.
  Desyncs are a separate issue (likely netcode or server-related), not related to the topic here.