CA installation in Windows git-bash (curl there, etc)

FiloSottile / mkcert

A simple zero-config tool to make locally trusted development certificates with any names you'd like.

https://mkcert.dev

BSD 3-Clause "New" or "Revised" License

48.8k stars 2.52k forks source link

CA installation in Windows git-bash (curl there, etc) #159

Open rfay opened 5 years ago

rfay commented 5 years ago

It would be wonderful if in addition to all the wonderful places the CA is already installed it could be installed in the git-bash ecosystem (for curl in windows git bash).

Thanks for mkcert! it's is an amazing breakthrough. I'm integrating it into ddev a local web development environment which runs on most platforms. And it's now able to trust local certs for the very first time. Thanks!

FiloSottile commented 5 years ago

Can you provide some more info on that ecosystem? I don't use Windows, so I wouldn't know where to start to find its root store.

rfay commented 5 years ago

Thanks, I haven't found a solution yet, but poking around on the web:

The old solution (may still work) seems to be to add to git-for-windows' store: https://blogs.msdn.microsoft.com/phkelley/2014/01/20/adding-a-corporate-or-self-signed-certificate-authority-to-git-exes-store/
git itself apparently has a way to switch to using the global CA store by git config --global http.sslBackend schannel... but that seems to be specific to git (as expected, since it uses git config)

I haven't tried the first with the curl that ships in the git-for-windows world; maybe it would work. The second (git config) approach definitely didn't work for me.

rfay commented 5 years ago

It looks to me like

$ cat $(mkcert -CAROOT)/rootCA.pem >> /mingw64/ssl/certs/ca-bundle.crt

does the job from within git-bash context.

Outside git-bash context, I believe the directory is typically C:\Program Files\Git\mingw64\ssl\certs

closedstack commented 4 years ago

In Most corporate settings it is best to set it to use Windows Trusted CA Store, since that will be managed by your IT (like if they inspect outbound HTTPS traffic) using git config --global http.sslBackend schannel as suggested by @rfay

mkontani commented 4 years ago

Typically, windows has no certificates dir, but stores in win registory. If you want to import into the registory with using cli, It seems that certutil command can be used.

certutil.exe -addstore root c:\capublickey.cer

See: https://superuser.com/questions/1506440/import-certificates-using-command-line-on-windows

jkugler commented 3 years ago

@rfay From where did you acquire mkcert? It does not seem to be in my default git bash install.

Edit: I might not need it. Just cat and append to the ca-bundle.crt file.

Edit 2: solution not working for me...so, may be a problem somewhere else.

rfay commented 3 years ago

@jkugler - download the windows binary from the releases page, https://github.com/FiloSottile/mkcert/releases

MarlonMrN commented 3 years ago

In Most corporate settings it is best to set it to use Windows Trusted CA Store, since that will be managed by your IT (like if they inspect outbound HTTPS traffic) using git config --global http.sslBackend schannel as suggested by @rfay

but how to make that config for the entire git-bash? For example, I cannot perform any curls to https endpoints in my bash... (and all of my package managers suffer from the same issue... it's a pain to add the certificates for each of them, as they expire...) Any ideas how to do that?