certifi

Warnings

• breaking Versions <2023.07.22 include compromised 'e-Tugra' root certificates (CVE / GHSA-xqr8-7jwr-rhp7). Any pinned version in that range must be upgraded.
  Fix: Pin to certifi>=2023.07.22 or, preferably, always allow the latest release: pip install --upgrade certifi.
• breaking certifi.old_where() was removed and re-added only as a no-op alias of certifi.where(). Code that relied on it to restore 1024-bit root certificates no longer gets those weak roots.
  Fix: Remove all calls to certifi.old_where() and replace with certifi.where(). Weak 1024-bit roots will not be available.
• gotcha certifi explicitly does NOT support modifying the CA store. Writing custom CAs directly into cacert.pem is overwritten on every package upgrade.
  Fix: Use the REQUESTS_CA_BUNDLE or SSL_CERT_FILE environment variables pointing to a separate PEM file that includes both the certifi bundle and your custom CA, or use requests' verify='/path/to/custom.pem' per-call parameter.
• gotcha On macOS (python.org installer), Python does NOT automatically use the system Keychain. SSL errors like CERTIFICATE_VERIFY_FAILED appear immediately after a fresh install.
  Fix: Run /Applications/Python\ 3.x/Install\ Certificates.command once after installation, or set SSL_CERT_FILE=$(python -m certifi) and REQUESTS_CA_BUNDLE=$(python -m certifi) in your shell profile.
• gotcha requests bundles certifi as a dependency and uses it automatically; explicitly passing verify=certifi.where() is redundant in most cases but required when REQUESTS_CA_BUNDLE or SSL_CERT_FILE overrides are set in the environment and you want to force the certifi store.
  Fix: Be intentional: pass verify=certifi.where() explicitly if you need to override environment-level CA bundle variables, otherwise omit it and let requests resolve the default.
• gotcha certifi does not read or merge the operating system's CA trust store on any platform. Corporate proxies doing TLS inspection with an internal root CA will cause SSLError even with certifi up to date.
  Fix: Append the corporate root CA PEM to a copy of certifi.where() and point REQUESTS_CA_BUNDLE at that merged file, or use the truststore package (pip install truststore) to load the OS native trust store.
• deprecated Python 2 support was dropped. certifi now requires Python >=3.7 as per its package metadata.
  Fix: Upgrade to Python 3.7+ before installing certifi 2022.x or later.

Install

• pip install certifi pip
• pip install --upgrade certifi upgrade to latest

Imports

• certifi

  import certifi
  certifi.where()

  certifi.old_where() was kept as an alias of certifi.where() after 1024-bit root removal but should no longer be used; call certifi.where() directly.
• certifi.where

  import certifi
  path = certifi.where()  # returns str path to cacert.pem

  certifi.where() is the entire public API. It returns a string file path, not a file object or a list of certs.

Quickstart

Use certifi.where() with requests, urllib3, and the stdlib ssl module to pin SSL verification to the bundled Mozilla CA store.

import certifi
import requests
import urllib3
import ssl

# 1. Print the path to the bundled CA bundle
print(certifi.where())  # e.g. /path/to/certifi/cacert.pem

# 2. Pass explicitly to requests (requests uses certifi automatically,
#    but being explicit avoids surprises when REQUESTS_CA_BUNDLE is set)
response = requests.get("https://httpbin.org/get", verify=certifi.where())
print(response.status_code)

# 3. Pass to urllib3 directly
http = urllib3.PoolManager(ca_certs=certifi.where())
r = http.request("GET", "https://httpbin.org/get")
print(r.status)

# 4. Pass to the stdlib ssl module
ctx = ssl.create_default_context(cafile=certifi.where())
print(ctx)