AppDividend
Latest Code Tutorials

Python certifi: How to Use SSL Certificate in Python

Python Certifi provides Mozilla’s thoroughly curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying an identity of TLS hosts. It has been plucked from the Requests project.

The Python Requests library uses its own CA file by default or will use the certifi package’s certificate bundle if installed.

Install Python certifi

To install the python certifi package, you have to type the following command.

python3 -m pip install certifi

# OR

pip install certifi

If you have installed requests library already, then there are 100% chances that the certifi library is also installed, but you have to check it. So, if you hit the following command, then either it will tell us that the requirement is already satisfied or it will install on your machine.

While it’s possible to pass your own CA bundle to Requests to override the default CAs, several third-party packages use Requests under the hood, and there is no way you can tell them to use the custom location for verify.

Use certifi in your Python project

To reference the installed certificate authority (CA) bundle, you can use the built-in function:

import certifi

print(certifi.where())

Output

/Users/krunal/Library/Python/3.8/lib/python/site-packages/certifi/cacert.pem

You can also find the cacert.pem path from the command line using the following command.

 python -m certifi
/Users/krunal/Library/Python/3.8/lib/python/site-packages/certifi/cacert.pem

Browsers and certificate authorities have finalized that 1024-bit keys are unacceptably weak for certificates, particularly root certificates.

For the same reason, Mozilla has removed any weak (i.e., 1024-bit key) certificate from its bundle, replacing it with the equivalent robust (i.e., 2048-bit or higher key) certificate from the same CA.

Note: Certifi does not support any addition/removal or other modification of the CA trust store content. 

If you put the additional certificates in the PEM bundle file, you can use these two environment variables to overwrite the default cert stores used by Python OpenSSL and Requests.

SSL_CERT_FILE=/System/Library/OpenSSL/cert.pem
REQUESTS_CA_BUNDLE=/System/Library/OpenSSL/cert.pem

However, we can quickly check for this when our scripts start-up, and update the CA bundle automatically with a given CA if necessary.

First, capture your custom CA and save it as the PEM file.

If you only have a .cer, .crt, or .der file, you can convert it using OpenSSL.

openssl x509 -inform der -in certificate.cer -out certificate.pem

If you have multiple custom intermediates or roots, you can just add them all into the single .pem file when you are finished converting them all.

Drag the certificate.pem into the root of your project.

Now, we’re going to try requesting the target URL. In our case, it is a Github API, and if we hit the cert error, update the CA bundle in use by Certifi.

import certifi
import requests

try:
    print('Checking connection to Github...')
    test = requests.get('https://api.github.com')
    print('Connection to Github OK.')
except requests.exceptions.SSLError as err:
    print('SSL Error. Adding custom certs to Certifi store...')
    cafile = certifi.where()
    with open('certicate.pem', 'rb') as infile:
        customca = infile.read()
    with open(cafile, 'ab') as outfile:
        outfile.write(customca)
    print('That might have worked.')

Output

Checking connection to Github...
Connection to Github OK.

That is it for the Python certifi example.

2 Comments
  1. Anil says

    Krunal, I really enjoyed the well explained in-depth knowledge.

    Quick question: Do we need to get root & intermediate certs(base64) along with publick cert value in the .pem file?

  2. Suvrat Rai says

    Hi Krunal,

    Thank you for your detailed post. It was really helpful in resolving a self signed certificate error that i was getting since some time.

    @Anil: Yes I would suggest that all root & intermediate certificates are taken together in the pem file.

Leave A Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.