How to Add a Custom Ca Root Certificate to the Ca Store Used by Pip in Windows

Python Requests - How to use system ca-certificates (debian/ubuntu)?

From https://stackoverflow.com/a/33717517/1695680

To make python requests use the system ca-certificates bundle, it needs to be told to use it over its own embedded bundle

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Requests embeds its bundles here, for reference:

/usr/local/lib/python2.7/site-packages/requests/cacert.pem
/usr/lib/python3/dist-packages/requests/cacert.pem

Or in newer versions use additional package to obtain certificates from:
https://github.com/certifi/python-certifi

To verify from which file certificates are loaded, you can try:

Python 3.8.5 (default, Jul 28 2020, 12:59:40) 
>>> import certifi
>>> certifi.where()
'/etc/ssl/certs/ca-certificates.crt'

How do I go about getting the trusted CAs to add to my certificate store

There is no any central organization that decides the certificates to be accepted by each browser. Each one has its own process to accept a new CA

  • Firefox: process defined in https://wiki.mozilla.org/CA
  • Chrome: use the root certificate store of the underlying operating system. See

In the Chrome link you can see the references to Microsoft Root Certificate Program and Apple Root Certificate Program, and the way to do it for Linux and android

European Union has its own legislation where each member publish a Trusted Service List which are linked in a central list. All territories have the legal obligation to accept certificates issued by any provider in the list . It is XML and designed to be processed automatically but browsers do not use



Related Topics



Leave a reply



Submit