Python certifi: How to Use SSL Certificate in Python
Python Certifi provides Mozilla’s thoroughly curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying an identity of TLS hosts. It has been plucked from the Requests project.
The Python Requests library uses its own CA file by default or will use the certifi package’s certificate bundle if installed.
Install Python certifi
To install the python certifi package, you have to type the following command.
python3 -m pip install certifi # OR pip install certifi
If you have installed requests library already, then there are 100% chances that the certifi library is also installed, but you have to check it. So, if you hit the following command, then either it will tell us that the requirement is already satisfied or it will install on your machine.
While it’s possible to pass your own CA bundle to Requests to override the default CAs, several third-party packages use Requests under the hood, and there is no way you can tell them to use the custom location for verify.
Use certifi in your Python project
To reference the installed certificate authority (CA) bundle, you can use the built-in function:
import certifi print(certifi.where())
You can also find the cacert.pem path from the command line using the following command.
python -m certifi /Users/krunal/Library/Python/3.8/lib/python/site-packages/certifi/cacert.pem
Browsers and certificate authorities have finalized that 1024-bit keys are unacceptably weak for certificates, particularly root certificates.
For the same reason, Mozilla has removed any weak (i.e., 1024-bit key) certificate from its bundle, replacing it with the equivalent robust (i.e., 2048-bit or higher key) certificate from the same CA.
If you put the additional certificates in the PEM bundle file, you can use these two environment variables to overwrite the default cert stores used by Python OpenSSL and Requests.
However, we can quickly check for this when our scripts start-up, and update the CA bundle automatically with a given CA if necessary.
First, capture your custom CA and save it as the PEM file.
If you only have a .cer, .crt, or .der file, you can convert it using OpenSSL.
openssl x509 -inform der -in certificate.cer -out certificate.pem
If you have multiple custom intermediates or roots, you can just add them all into the single .pem file when you are finished converting them all.
Drag the certificate.pem into the root of your project.
Now, we’re going to try requesting the target URL. In our case, it is a Github API, and if we hit the cert error, update the CA bundle in use by Certifi.
import certifi import requests try: print('Checking connection to Github...') test = requests.get('https://api.github.com') print('Connection to Github OK.') except requests.exceptions.SSLError as err: print('SSL Error. Adding custom certs to Certifi store...') cafile = certifi.where() with open('certicate.pem', 'rb') as infile: customca = infile.read() with open(cafile, 'ab') as outfile: outfile.write(customca) print('That might have worked.')
Checking connection to Github... Connection to Github OK.
That is it for the Python certifi example.