# Custom SSL Certificates When using the `quilt3` API or CLI with a client-to-site VPN you may need to trust a custom certificate in Python. ### Mac OS X 1. Direct your browser to an HTTPS website that uses a custom certificate. 2. Click the lock icon in the address bar. 3. Click View certificates and copy the certificate name to a safe place. 4. Open Keychain Access and select System Keychains > System Roots. 5. Click the Certificates tab. 6. Find the certificate that you noted above. 7. Click File > Export Items... to export the root certificate. 8. Convert the exported certificate in Terminal as follows: ```sh openssl x509 -inform der -in /path/to/your/certificate.cer -out /path/to/converted/certificate.crt ``` 9. Export the following variable. You may wish to do this in a startup file for repeatability. ```ssh export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.crt ``` ### Linux 1. Export the following variable. You may wish to do this in a startup file for repeatability. ```sh export REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt ``` > The single-file version of your CA certificate may be found in different locations depending upon your operating system. ### Windows 1. Direct your browser to an HTTPS website that uses a custom certificate. 2. Click the lock icon in the address bar. 3. Click View certificates and copy the certificate name to a safe place. 4. Open the Command Prompt («Win + R») and type `certmgr` to open your Windows Certificate Manager. 5. Find the certificate that you noted above. ![MITM certificate](/files/h2lzlohtC5aXhaAkZQwG) 6. Export the certificate in Base-64 encoded X.509 (.CER) to your file system (`\Path\To\mycert.cer`). 7. Convert the exported certificate in the Command Prompt as follows (assumes OpenSSL is installed): * Certificate in `der` encoding: ```sh openssl x509 -inform der -in \Path\To\mycert.cer -out \Path\To\Converted\mycert.crt ``` * Certificate in `pem` encoding (no conversion necessary): ```sh openssl x509 -in \Path\To\mycert.cer -out \Path\To\Converted\mycert.crt ``` 8. Export the following variable. You may wish to do this in a startup file for repeatability. ```sh set REQUESTS_CA_BUNDLE=Path\To\Converted\mycert.crt ``` ### Verification `quilt3` should no longer fail with SSL errors related to the custom certificate. ### References * [SSL certificate verification with Python `Requests` library](https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.quilt.bio/quilt-python-sdk/api-reference/custom-ssl-certificates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.