Git configuration behind corporate SSL proxy

This is a quick note to configure git client behind corporate SSL proxy on Windows.

If you are behind a corporate SSL proxy, the chances are that git command line client on windows will not work out of box. The is because the SSL proxy overrides the actual certificate presented by the website(say github.com) with an certificate issued by an internal CA. This is done so that the proxy can inspect all the traffic, which is a regulatory/security requirement in most large organisations. The browsers and systems are generally configured to accept the internal CA so we don’t see the difference between the actual certificate of site and the once overriden by internal proxy. However git client does not use the systems trusted certificate store. So it will complain about the certificate it sees.

You can do the following to make git client accept the internal proxy’s SSL certificate. You have to get the certificate of the CA, which you may get from browser or using curl and openssl. Once you have the CA’s certificate, you can add it to the certificate store used by git and curl.

For git 2.6 on windows the location is mingw64/SSL/cert/cabundle.crt. These are base-64 encoded certificate which you can edit in a normal text editor.

comments powered by Disqus