How to add an enterprise certificate authority (CA) to git on cygwin (and some linux distros)

git-remote-https will read the following files for ca certificates:

/etc/ssl/certs/ca-bundle.crt
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

If you edit these files, they will be overwritten each time the Cygwin setup is run and there is an update for the ca-certificates package.

The correct/proper solution is to add the certificate to the pick up directory and run the pickup script, update-ca-trust:

curl -sL http://ca.pdinc.us  > /etc/pki/ca-trust/source/anchors/ca.pdinc.us.pem \
&& update-ca-trust

The post install script for the ca-certificates package will automatically rerun the update-ca-trust script on every upgrade. For more information:

man update-ca-trust

Simpler instructions:

  1. Simply copy the file(s) with your enterprise's trusted certificates (e.g., .crt files) and copy them into the directory /etc/pki/ca-trust/source/anchors/.

  2. Run update-ca-trust extract. This will generate various files to make everything work.

You can add or remove files in the directory and re-run update-ca-trust extract.

NOTE: If your organization is one of the rare ones who use specialized certificates in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS), there's a slight change in step 1. Basically, copy the certificates to the directory /etc/pki/ca-trust/source/ instead. There's no harm in copying them to the "usual" location, and moving them later if the "usual" directory doesn't work.

For more details, run man update-ca-trust.