Add CA Certificates To Python

Python checks SSL certificates when doing stuff over HTTPS. You want to make sure that the communications channel is secure. When you’re experimenting you might want to disable SSL verification (temporary), but there are scenarios where this is not possible. This happens when e.g. you need to install or update through pip, or when a library doesn’t offer a way to ignore or suppress certificate errors. This becomes a challenge in the following circumstances;

  • a company policy to check outgoing traffic by decrypting all outgoing https traffic,

  • or when you’re using tools like Burp Suite / OWASP ZAP Proxy to inspect content in API calls etc.

In these cases you’re only solution is to add the root certifcates of those MITM tools to the Python certificate bundle (or create your own bundle). In this case I’ll be adding my own Root CA certificates to the existing bundle. This is not a permanent solution, since they might get overwritten with (pip) updates. But it works for me for the time being.

Start a Python interpreter;

>>> import certifi
>>> certifi.where()
<pythonpath>\lib\site-packages\certifi\cacert.pem

This cacert.pem file contains all root CA’s typically found in most browsers and operating systems. Just add your CA (in BASE64 format) at the end of the file and you’ll be good to go (until a next certifi update).

Posted on August 22, 2023 and filed under Programming, Tips'n Tricks.