I have created a self-signed certificate as my fake CA, used it to sign the certificate of my test server. I added the fake CA to the client (Windows 7) certificate store (System settings > Internet Settings > Content > Certificates), imported it there first only to "trusted root certificate authorities (translating from German "Vertrauenswürdige Stammzertifizierungsstellen" here), after failed tests to all tabs (including "own certificates", "intermediate certification authorities", but not the the "non-trusted issuers").

I can see my fake ca certificate in the lists in the windows settings, but querying the windows CA store through python (version 3.7), either through ssl.create_default_context().get_ca_certs() or ssl.enum_certificates(store) for store in ("CA", "ROOT", "MY") I only see some default builtin authorities (digicert, microsoft, comodo, verisign, etc).

This might be related to https://bugs.python.org/issue36011 . The related PR https://github.com/python/cpython/pull/11923 is now closed but I do not see the commit in master/3.7/feature-version branch. Was it dismissed?

I am aware there are options to add certificate files to SSL_CERT_DIR, but it is my understanding that python now uses the windows certificate store and that is where in my case the certificate should go.