DEVHIDE
Login Or Sign up

How to automatically update Certifi cacert.pem with Trusted Certificates in the Windows Certificate Store?

2.8k Views Asked by At

I have installed a firewall Root CA into the Trusted Root Certification Authorities of the Local System of my Windows system. This was done for the purpose of SSL inspection.

When this was done, I was seeing SSL Error messages in my Python applications

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)')) WINDOWS

This was strange, because everything else on my system such as web browsers, were operating fine. I then realized that Python uses the Root CA's specified in the file : cacert.pem which is managed by the certifi module. It does not use the Windows certificate store. This made sense because the certificates were setup correctly in the Windows certificate store, and every other application on my system was fine.

To view where this file is stored, you can run the following code:

import certifi
print(certifi.where())

I manually added my Root CA to the cacert.pem file, by copy and pasting my Root CA certificate to the bottom of the cacert.pem file.

After doing this, I have not received any SSL errors whatsoever and my Python applications are correctly using the firewall's certificates.

My questions are:

  • Can I make Python just use the trusted Root certificates in my Windows store?
  • It is unnecessary and annoying to have to have duplicates of the same certificate. I would like Python to use the central Windows store, just like everything else, to minimize hassle and sources of error
  • At the least, is there a certifi command that I can run to have it copy everything from the Windows certificate store into the cacert.pem file?

EDIT

From the certifi github page

Certifi does not support any addition/removal or other modification of the CA trust store content. This project is intended to provide a reliable and highly portable root of trust to python deployments. Look to upstream projects for methods to use alternate trust.

python ssl ssl-certificate certifi
Original Q&A
1

There are 1 best solutions below

1
On

Option 1 for Windows:

From this article, obtaining certificates from the Windows store was able to work with installing the module : python-certifi-win32

Command : python -m pip install python-certifi-win32

Option 2 for Windows:

Paste the Base-64 Root CA certificate to the bottom of the certifi cacert.pem file. This file can be found on the system with the below command

import certifi
print(certifi.where())

Related Questions in PYTHON

Related Questions in SSL

Related Questions in SSL-CERTIFICATE

Related Questions in CERTIFI

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.