How do I configure Git to trust certificates from the Windows Certificate Store?

Julian Lettner picture Julian Lettner · May 21, 2013 · Viewed 60.2k times · Source

Currently I have the following entry in my .gitconfig in my user directory.

...
[http]
    sslCAInfo=C:\\Users\\julian.lettner\\.ssh\\git-test.pem
...

This sets the certificate to use when interacting with the git server (required by my company's git server).

But now I cannot clone other repositories (for example a public repository on GitHub), because the client always uses the configured certificate which gets rejected by other servers.

How can I circumvent this certification issue? Can I configure Git to use the Windows Certificate Store to authenticate?

Answer

Edward Thomson picture Edward Thomson · Jan 11, 2018

Beginning with Git for Windows 2.14, you can now configure Git to use SChannel, the built-in Windows networking layer. This means that it will use the Windows certificate storage mechanism and you do not need to explicitly configure the curl CA storage mechanism.

From the Git for Windows 2.14 release notes:

It is now possible to switch between Secure Channel and OpenSSL for Git's HTTPS transport by setting the http.sslBackend config variable to "openssl" or "schannel"; This is now also the method used by the installer (rather than copying libcurl-4.dll files around).

You can choose the new SChannel mechanism during the installation of Git for Windows 2.14. You can also update an existing installation to use SChannel by running:

git config --global http.sslBackend schannel

Once you have configured this, Git will use the Windows certificate store and should not require (and, in fact, should ignore) the http.sslCAInfo configuration setting.