certifi-system-store is a replacement and hack for consumers of certifi. It replaces certifi with an alternative implementation that uses the system trust store on Linux and some BSD distributions.
Please be advised that this package is brand new and highly experimental. It hasn't been tested in any production environment.
$ python -m pip install git+https://github.com/projg2/certifi-system-storeThe certifi command of certifi-system-store has an additional
argument --system-store. The argument is not available with standard
certifi package. You can use the property to verify that certifi
package is provided by certifi-system-store.
$ python -m venv venv
$ venv/bin/pip install certifi
$ venv/bin/python -m certifi --system-store
usage: __main__.py [-h] [-c]
__main__.py: error: unrecognized arguments: --system-store
$ echo $?
2$ venv/bin/pip install certifi-system-store
$ venv/bin/python -m certifi --system-store
/etc/pki/tls/cert.pem
$ echo $?
0The command also checks for the presence of a CA cert bundle:
$ venv/bin/python -m certifi
Traceback (most recent call last):
...
FileNotFoundError: /etc/ssl/cert.pem, /etc/pki/tls/cert.pem, /etc/ssl/certs/ca-certificates.crt, /etc/ssl/ca-bundle.pem
$ echo $?
1To check for certifi-system-store at runtime:
import certifi
if not getattr(certifi, "__certifi_system_store__", False):
raise ImportError("certifi-system-store is not installed")Most major Linux distributions and FreeBSD are supported.
- Alpine
- Debian-based distributions (Ubuntu, Raspberry Pi OS, Tails, ...)
- NOTE: Some distributions don't have a system trust store in
their minimal package list. You may have to install
ca-certificatesmanually, see Debian bug #960869, Ubuntu bug #1879310.
- NOTE: Some distributions don't have a system trust store in
their minimal package list. You may have to install
- Fedora-based distributions (RHEL, CentOS, CentOS Streams)
- FreeBSD
- NOTE: may require manual installation of
ca_root_nss
- NOTE: may require manual installation of
- Gentoo
- OpenSUSE
certifi-system-store may work, but there is no CI for these platforms.
- ArchLinux
- OpenWRT
- Slackware
- VoidLinux
- other Linux distributions not based on Debian or Fedora
- OpenBSD
- NetBSD
- Windows
- macOS
- Android (has a cert directory but not a PEM bundle)
- iOS
- Alpine
- Arch
- Fedora 34+ (see rhbz#1895619)
- FreeBSD (requires
ca_root_nsspackage) - OpenWRT
- RHEL 9
- CentOS 7, 8
- Fedora 33 and earlier
- RHEL 7, 8
- Debian (requires
ca-certificatespackage) - Gentoo
- Ubuntu (requires
ca-certificatespackage)
- SUSE
$ sudo cp my-custom-ca.pem /usr/local/share/ca-certificates/my-custom-ca.crt
$ sudo update-ca-certificates$ sudo cp my-custom-ca.pem /etc/ca-certificates/trust-source/anchors/my-custom-ca.crt
$ sudo update-ca-trustStandard PEM or DER-encoded certificates (BEGIN CERTIFICATE)
$ sudo cp my-custom-ca.pem /etc/pki/ca-trust/source/anchors/
$ sudo update-ca-trustCertificates with additional trust information
(BEGIN TRUSTED CERTIFICATE)
$ sudo cp my-custom-ca.pem /etc/pki/ca-trust/source/
$ sudo update-ca-trustNote: The man page update-ca-certificates(8) mentions that cert
files must have a .crt extension.
$ sudo cp my-custom-ca.pem /usr/local/share/ca-certificates/my-custom-ca.crt
$ sudo update-ca-certificates- empty
certifi/cacert.pemto override any existing certifi data. certifi dist-infowith much higher version number than certifi's default dist-info metadata
$ venv/bin/pip install certifi-system-store
$ ls -l .tox/venv/lib/python3.9/site-packages/
certifi
certifi-3000.1.dist-info
...
$ venv/bin/python -m certifi -v --system-store
certifi-system store 3000.0a1
/etc/pki/tls/cert.pem
...- Cory Benfield
- Pradyun Gedam
- Wouter Bolsterlee