mkcert icon indicating copy to clipboard operation
mkcert copied to clipboard

Published 20 hours ago verified publisher icon FiloSottile

CA installation in Windows git-bash (curl there, etc)

Open rfay opened this issue 5 years ago • 8 comments

It would be wonderful if in addition to all the wonderful places the CA is already installed it could be installed in the git-bash ecosystem (for curl in windows git bash).

Thanks for mkcert! it's is an amazing breakthrough. I'm integrating it into ddev a local web development environment which runs on most platforms. And it's now able to trust local certs for the very first time. Thanks!

rfay avatar Apr 24 '19 13:04 rfay

Can you provide some more info on that ecosystem? I don't use Windows, so I wouldn't know where to start to find its root store.

FiloSottile avatar Jun 01 '19 12:06 FiloSottile

Thanks, I haven't found a solution yet, but poking around on the web:

  • The old solution (may still work) seems to be to add to git-for-windows' store: https://blogs.msdn.microsoft.com/phkelley/2014/01/20/adding-a-corporate-or-self-signed-certificate-authority-to-git-exes-store/
  • git itself apparently has a way to switch to using the global CA store by git config --global http.sslBackend schannel... but that seems to be specific to git (as expected, since it uses git config)

I haven't tried the first with the curl that ships in the git-for-windows world; maybe it would work. The second (git config) approach definitely didn't work for me.

rfay avatar Jun 03 '19 01:06 rfay

It looks to me like

$ cat $(mkcert -CAROOT)/rootCA.pem >> /mingw64/ssl/certs/ca-bundle.crt

does the job from within git-bash context.

Outside git-bash context, I believe the directory is typically C:\Program Files\Git\mingw64\ssl\certs

rfay avatar Jun 03 '19 04:06 rfay

In Most corporate settings it is best to set it to use Windows Trusted CA Store, since that will be managed by your IT (like if they inspect outbound HTTPS traffic) using git config --global http.sslBackend schannel as suggested by @rfay

closedstack avatar Oct 07 '20 22:10 closedstack

Typically, windows has no certificates dir, but stores in win registory. If you want to import into the registory with using cli, It seems that certutil command can be used.

certutil.exe -addstore root c:\capublickey.cer

See: https://superuser.com/questions/1506440/import-certificates-using-command-line-on-windows

mkontani avatar Oct 12 '20 18:10 mkontani

@rfay From where did you acquire mkcert? It does not seem to be in my default git bash install.

Edit: I might not need it. Just cat and append to the ca-bundle.crt file.

Edit 2: solution not working for me...so, may be a problem somewhere else.

jkugler avatar Dec 09 '20 20:12 jkugler

@jkugler - download the windows binary from the releases page, https://github.com/FiloSottile/mkcert/releases

rfay avatar Dec 09 '20 21:12 rfay

In Most corporate settings it is best to set it to use Windows Trusted CA Store, since that will be managed by your IT (like if they inspect outbound HTTPS traffic) using git config --global http.sslBackend schannel as suggested by @rfay

but how to make that config for the entire git-bash? For example, I cannot perform any curls to https endpoints in my bash... (and all of my package managers suffer from the same issue... it's a pain to add the certificates for each of them, as they expire...) Any ideas how to do that?

MarlonMrN avatar Jun 11 '21 12:06 MarlonMrN