This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author chris-k
Recipients chris-k, christian.heimes, paul.moore, steve.dower, tim.golden, zach.ware
Date 2019-02-18.16:50:46
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
quick addition: It looks like all recent Windows versions (Win8/Server 2012, Win8.1/Server 2012R2, Win10 (older versions)/Server 2016, Win10-1809/Server 2019 behave the same (= only very few RootCAs are pre-installed out of the box, additional ones are added on the fly when HTTPS requests are being made via the SCHANNEL api).

Possible workaround for Windows admins:

Import the RootCA certs from "certifi" into the Windows local machine Trusted RootCA store.

To do so, first download and convert the certifi cabundle ( to a pfx container, i.e. with something like:

wget -O certs.pem
openssl pkcs12 -export -nokeys -out certs.pfx -in certs.pem

Then import the pfx via the certlm.msc GUI or the certutil.exe cmdline tool. This imports all certs at once. This can also be centralized for a larger number of machines via an Active Directory Group Policy (Local Machine -> Windows Settings -> Security Settings -> PKI).

This isn't ideal as it puts the admin into the responsibility to update the certstore/GPO whenever there's a change in the certifi cabundle, but works well for me besides that.
Date User Action Args
2019-02-18 16:50:46chris-ksetrecipients: + chris-k, paul.moore, christian.heimes, tim.golden, zach.ware, steve.dower
2019-02-18 16:50:46chris-ksetmessageid: <>
2019-02-18 16:50:46chris-klinkissue36011 messages
2019-02-18 16:50:46chris-kcreate