If you’re working in a corporate environment and seeing Git SSL certificate errors, you’re likely dealing with SSL inspection (also known as SSL interception or HTTPS inspection) at your company’s firewall. Let’s understand what’s happening and how to fix it.

The Real Problem

When you see this error:

git/': SSL certificate problem: unable to get local issuer certificate

In a corporate environment, this happens because:

1. Your company’s firewall is performing SSL inspection
2. The firewall decrypts and re-encrypts all HTTPS traffic
3. Git doesn’t trust the certificate used by the firewall for re-encryption

What is SSL Inspection?

In corporate environments, security teams implement SSL inspection to:

• Monitor all encrypted traffic for security threats
• Prevent data leaks
• Detect malware in encrypted connections

This process works by:

1. Intercepting the HTTPS connection
2. Decrypting the traffic at the firewall
3. Inspecting the contents
4. Re-encrypting with the company’s own certificate
5. Forwarding to your computer

The Solution

1. Get Your Company’s Root Certificate

First, you need to obtain your company’s root certificate:

• Ask your IT department for the corporate root certificate
• They might call it “SSL inspection certificate” or “HTTPS inspection certificate”
• Sometimes it’s automatically deployed via group policy

2. Install the Certificate

For Windows:

# Add the certificate to the Windows certificate store, only needed if no certificate is distributed from the IT department
certutil -addstore -f "ROOT" company-root-cert.crt

# Configure Git to use Windows certificate store, this step is mandatory
git config --global http.sslbackend schannel

For Linux:

# Copy the certificate
sudo cp company-root-cert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

# Configure Git to use the system certificate store
git config --global http.sslcainfo "/etc/ssl/certs/ca-certificates.crt"

3. Verify the Configuration

Test your setup with:

git ls-remote https://github.com/any-repo/any-project.git

Common Pitfalls to Avoid

1. Don’t Disable SSL Verification

   # DON'T do this - it's unsafe
   git config --global http.sslVerify false

2. Don’t Use Generic Online Solutions

• Many online solutions suggest downloading certificates from public sources
• These won’t work with corporate SSL inspection
• Always use your company’s certificates

For System Administrators

If you’re managing this for your organization:

1. Group Policy Distribution

• Deploy the corporate root certificate via GPO
• Configure Git settings automatically
• Document the certificate location

1. Documentation for Developers

• Provide clear instructions for certificate installation
• Include troubleshooting steps
• List supported Git versions

Security Considerations

Understanding what’s happening:

• Your traffic is decrypted at the corporate firewall
• This is normal and secure within corporate networks
• The company certificate creates a new trusted chain
• All internal systems need to trust this certificate

Troubleshooting Steps

If you’re still having issues:

1. Verify Certificate Installation

• Check if the certificate appears in your system’s trust store
• Ensure it’s in the correct store (usually “Trusted Root Certification Authorities”)

1. Test Basic Connectivity

   curl -v https://github.com

Conclusion

SSL certificate issues in corporate environments are usually related to SSL inspection at the firewall level. The solution is not to bypass security but to properly configure Git to trust your company’s certificates.

Remember:

• Always use your company’s certificates
• Never disable SSL verification
• Keep your certificates updated
• Contact IT if you need the correct certificates

Has this helped you resolve your Git SSL issues in your corporate environment? Share your experience in the comments!