Custom SSL certificates

When using the quilt3 API or CLI with a client-to-site VPN you may need to trust a custom certificate in Python.

Mac OS X

  1. Direct your browser to an HTTPS website that uses a custom certificate.

  2. Click the lock icon in the address bar.

  3. Click View certificates and copy the certificate name to a safe place.

  4. Open Keychain Access and select System Keychains > System Roots.

  5. Click the Certificates tab.

  6. Find the certificate that you noted above.

  7. Click File > Export Items... to export the root certificate.

  8. Convert the exported certificate in Terminal as follows:

    openssl x509 -inform der -in /path/to/your/certificate.cer -out /path/to/converted/certificate.crt
  9. Export the following variable. You may wish to do this in a startup file for repeatability.

    export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.crt

Linux

  1. Export the following variable. You may wish to do this in a startup file for repeatability.

    export REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt

The single-file version of your CA certificate may be found in different locations depending upon your operating system.

Windows

  1. Direct your browser to an HTTPS website that uses a custom certificate.

  2. Click the lock icon in the address bar.

  3. Click View certificates and copy the certificate name to a safe place.

  4. Open the Command Prompt («Win + R») and type certmgr to open your Windows Certificate Manager.

  5. Find the certificate that you noted above.

  6. Export the certificate in Base-64 encoded X.509 (.CER) to your file system (\Path\To\mycert.cer).

  7. Convert the exported certificate in the Command Prompt as follows (assumes OpenSSL is installed):

    • Certificate in der encoding:

    openssl x509 -inform der -in \Path\To\mycert.cer -out \Path\To\Converted\mycert.crt
    • Certificate in pem encoding (no conversion necessary):

    openssl x509 -in \Path\To\mycert.cer -out \Path\To\Converted\mycert.crt
  8. Export the following variable. You may wish to do this in a startup file for repeatability.

    set REQUESTS_CA_BUNDLE=Path\To\Converted\mycert.crt

Verification

quilt3 should no longer fail with SSL errors related to the custom certificate.

References

Last updated