How to import a zscaler certificate into Git

Question

While trying to checkin/checkout code on azure DevOps from GIT i got the following error.

Application has to send the traffic to Zscaler proxies. For this we have un-set the proxy in GIT post that application able to connect URL but SSL handshake was not happening. GIT is not aware of Zscaler certificate due to which it could not establish SSL handshake with destination server. I need to find a way to Import Zscaler certificate in GIT application so that it can connect the destination. Is it possible to just copy paste the certificate into GIT folder. What are the certificate under Git\usr\ssl\certs Can someone please assist.

Have a look at git `http.sslCAInfo` configuration option and see this case as an example: https://stackoverflow.com/a/16543283/6368697 — Patrick Mevzek, Oct 29 '18 at 18:47
Does this answer your question? [How do I configure Git to trust certificates from the Windows Certificate Store?](https://stackoverflow.com/questions/16668508/how-do-i-configure-git-to-trust-certificates-from-the-windows-certificate-store) — Kimball Robinson, Jan 31 '22 at 18:12

score 3 · Answer 1 · answered Oct 12 '21 at 11:55

3

For a corporate scenario (zscaler, ssl inspection ...) switching from OpenSSL to the Windows implementation of SSL/certificate validation (SCHANNEL) might be a good option. It ensures that git will be using the same certificate store as many other apps you are using. This answer discusses the required setting.

Compared to solutions like this, the approach avoids having to update the certificates stored specifically for git if IT needs to roll out updates.

answered Oct 12 '21 at 11:55

Simon Opelt

6,136
2
35
66

2

thank you, the answer in the link (`git config --global http.sslBackend schannel`) solved our issue with Zscaler. – Josh Johanning Sep 22 '22 at 13:36
1

This should be marked as the correct answer. The other is just wrong. Wrong because use of SSL/TLS is IMPLICIT in the quesiton. Disabling it is problematic. – GaTechThomas Jul 31 '23 at 16:33

Salman · Accepted Answer · 2019-07-14T12:15:42.980

-4

Was able to bypass this issue with the command

git config --global http.sslVerify false

To trust a certificate, you can try these steps and check the result:

Export the certificate through browser (e.g. chrome): Click lock icon in address bar > Certificate > Certification Path > Select top-most certificate in the chain > View Certificate > Copy to file (Choose Base-64 encoded X.509).
Copy content to ca-bundle.crt file (check http.sslcainfo value by calling git config –l command) More information: Adding a corporate (or self-signed) certificate authority to git.exe’s store

More information: Adding a corporate (or self-signed) certificate authority to git.exe’s store

edited Jul 14 '19 at 12:15

answered Oct 30 '18 at 17:50

Salman

1,573
3
13
24

3

Please don't recommend/show disabling ALL GIT CERTIFICATE VALIDATION without a disclaimer that this can be a significant security issue. For your scenario (corporate/zscaler/ssl inspection) please look at [this answer](https://stackoverflow.com/a/48212753/468244). – Simon Opelt Oct 12 '21 at 11:49
1

@SimonOpelt that's a perfect answer! – Kimball Robinson Jan 31 '22 at 18:13

How to import a zscaler certificate into Git

2 Answers2