certifi

2026.2.25 verified Tue May 12 auth: no python install: verified quickstart: stale

certifi provides Mozilla's carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Extracted from the Requests project, it exposes a single public API — certifi.where() — returning the filesystem path to the bundled cacert.pem. The current version is 2026.2.25 (versioned by release date). Releases are issued roughly every 1–3 months, tracking Mozilla's own CA store updates.

pip install certifi

Common errors

error ModuleNotFoundError: No module named 'certifi' ↓

cause The 'certifi' package is not installed in the Python environment where the code is being executed, or the environment is not correctly configured to find installed packages.

fix

Install the certifi package using pip: pip install certifi

error SSL: CERTIFICATE_VERIFY_FAILED ↓

cause The SSL certificate presented by the server could not be verified against the trusted root certificates provided by certifi, often because the certifi package is outdated or the system's SSL certificates are not up to date. This commonly manifests as `requests.exceptions.SSLError`.

fix

Upgrade the certifi package to ensure you have the latest collection of root certificates: pip install --upgrade certifi

error OSError: Could not find a suitable TLS CA certificate bundle, invalid path ↓

cause A Python application, or even `pip` itself, is configured to look for SSL/TLS certificates at a specific path, but the file or directory at that path is missing or incorrect. This can be due to misconfigured environment variables (e.g., `REQUESTS_CA_BUNDLE`, `CURL_CA_BUNDLE`) or corrupted installations.

fix

First, identify if environment variables like REQUESTS_CA_BUNDLE or CURL_CA_BUNDLE are set and pointing to an invalid location. Clear or correct these variables. Ensure certifi is installed and up-to-date (pip install --upgrade certifi). If pip itself is failing, explicitly tell pip to use certifi's bundle by adding [global] cert = C:\path\to\certifi\cacert.pem to your pip configuration file (e.g., %APPDATA%\pip\pip.ini on Windows, or ~/.config/pip/pip.conf on Unix), replacing the path with the output of python -c "import certifi; print(certifi.where())"

Warnings

breaking Versions <2023.07.22 include compromised 'e-Tugra' root certificates (CVE / GHSA-xqr8-7jwr-rhp7). Any pinned version in that range must be upgraded. ↓

fix Pin to certifi>=2023.07.22 or, preferably, always allow the latest release: pip install --upgrade certifi.

breaking certifi.old_where() was removed and re-added only as a no-op alias of certifi.where(). Code that relied on it to restore 1024-bit root certificates no longer gets those weak roots. ↓

fix Remove all calls to certifi.old_where() and replace with certifi.where(). Weak 1024-bit roots will not be available.

gotcha certifi explicitly does NOT support modifying the CA store. Writing custom CAs directly into cacert.pem is overwritten on every package upgrade. ↓

fix Use the REQUESTS_CA_BUNDLE or SSL_CERT_FILE environment variables pointing to a separate PEM file that includes both the certifi bundle and your custom CA, or use requests' verify='/path/to/custom.pem' per-call parameter.

gotcha On macOS (python.org installer), Python does NOT automatically use the system Keychain. SSL errors like CERTIFICATE_VERIFY_FAILED appear immediately after a fresh install. ↓

fix Run /Applications/Python\ 3.x/Install\ Certificates.command once after installation, or set SSL_CERT_FILE=$(python -m certifi) and REQUESTS_CA_BUNDLE=$(python -m certifi) in your shell profile.

gotcha requests bundles certifi as a dependency and uses it automatically; explicitly passing verify=certifi.where() is redundant in most cases but required when REQUESTS_CA_BUNDLE or SSL_CERT_FILE overrides are set in the environment and you want to force the certifi store. ↓

fix Be intentional: pass verify=certifi.where() explicitly if you need to override environment-level CA bundle variables, otherwise omit it and let requests resolve the default.

gotcha certifi does not read or merge the operating system's CA trust store on any platform. Corporate proxies doing TLS inspection with an internal root CA will cause SSLError even with certifi up to date. ↓

fix Append the corporate root CA PEM to a copy of certifi.where() and point REQUESTS_CA_BUNDLE at that merged file, or use the truststore package (pip install truststore) to load the OS native trust store.

deprecated Python 2 support was dropped. certifi now requires Python >=3.7 as per its package metadata. ↓

fix Upgrade to Python 3.7+ before installing certifi 2022.x or later.

breaking The 'requests' package is not installed, leading to a ModuleNotFoundError when attempting to import it. The test environment only shows 'certifi' being installed. ↓

fix Ensure the 'requests' package is installed in the test environment using 'pip install requests'.

gotcha The test script or application requires the 'requests' package but it is not installed, leading to `ModuleNotFoundError: No module named 'requests'`. While 'certifi' is often used by 'requests', it does not automatically install 'requests' as a dependency. ↓

fix Ensure 'requests' is installed alongside 'certifi': pip install requests.

Install

pip install --upgrade certifi

Install compatibility verified last tested: 2026-05-12

python os / libc variant status wheel install import disk

3.10 alpine (musl) --upgrade - - 0.04s 18.0M

3.10 alpine (musl) certifi - - 0.04s 18.0M

3.10 slim (glibc) --upgrade - - 0.03s 19M

3.10 slim (glibc) certifi - - 0.02s 19M

3.11 alpine (musl) --upgrade - - 0.06s 19.9M

3.11 alpine (musl) certifi - - 0.06s 19.9M

3.11 slim (glibc) --upgrade - - 0.04s 20M

3.11 slim (glibc) certifi - - 0.04s 20M

3.12 alpine (musl) --upgrade - - 0.07s 11.8M

3.12 alpine (musl) certifi - - 0.07s 11.8M

3.12 slim (glibc) --upgrade - - 0.07s 12M

3.12 slim (glibc) certifi - - 0.07s 12M

3.13 alpine (musl) --upgrade - - 0.06s 11.4M

3.13 alpine (musl) certifi - - 0.06s 11.4M

3.13 slim (glibc) --upgrade - - 0.07s 12M

3.13 slim (glibc) certifi - - 0.06s 12M

3.9 alpine (musl) --upgrade - - 0.04s 17.5M

3.9 alpine (musl) certifi - - 0.04s 17.5M

3.9 slim (glibc) --upgrade - - 0.03s 18M

3.9 slim (glibc) certifi - - 0.03s 18M

Imports

certifi
wrong
```
from certifi import old_where; old_where()
```
correct
```
import certifi
certifi.where()
```
certifi.old_where() was kept as an alias of certifi.where() after 1024-bit root removal but should no longer be used; call certifi.where() directly.
certifi.where
```
import certifi
path = certifi.where()  # returns str path to cacert.pem
```
certifi.where() is the entire public API. It returns a string file path, not a file object or a list of certs.

Quickstart stale last tested: 2026-04-23

Use certifi.where() with requests, urllib3, and the stdlib ssl module to pin SSL verification to the bundled Mozilla CA store.

import certifi
import requests
import urllib3
import ssl

# 1. Print the path to the bundled CA bundle
print(certifi.where())  # e.g. /path/to/certifi/cacert.pem

# 2. Pass explicitly to requests (requests uses certifi automatically,
#    but being explicit avoids surprises when REQUESTS_CA_BUNDLE is set)
response = requests.get("https://httpbin.org/get", verify=certifi.where())
print(response.status_code)

# 3. Pass to urllib3 directly
http = urllib3.PoolManager(ca_certs=certifi.where())
r = http.request("GET", "https://httpbin.org/get")
print(r.status)

# 4. Pass to the stdlib ssl module
ctx = ssl.create_default_context(cafile=certifi.where())
print(ctx)