mscerts

2025.8.29 · active · verified Thu Apr 16

mscerts (version 2025.8.29) is a Python package designed to provide easy access to the Root Certificate Authorities present in the Microsoft Trusted Root Program. It functions as a fork of Kenneth Reitz's `certifi` project, offering Microsoft's collection of root certificates. The library typically sees annual updates to reflect changes in Microsoft's CA store.

Common errors

```
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:XXXX)
```
cause Python's `requests` library (or other HTTP clients) cannot find or validate the necessary root certificate to trust the server, often when interacting with services secured by Microsoft-specific CAs not present in default bundles.

fix Explicitly configure your HTTP client to use the `mscerts` bundle. For `requests`, pass the path obtained from `mscerts.where()` to the `verify` parameter: `requests.get(url, verify=mscerts.where())`.
```
AttributeError: module 'msvcrt' has no attribute 'where' (or similar for 'msrest')
```
cause The user intended to import `mscerts` but accidentally imported a different Python module with a similar name, such as `msvcrt` (a standard library module for Windows console I/O) or `msrest` (a Microsoft REST client library).

fix Ensure the correct import statement `import mscerts` is used, and functions like `where()` are called directly on the `mscerts` module. Double-check your spelling.

Warnings

gotcha Microsoft's CA Program allows for granular CA deprecation, a feature not fully supported by static certificate bundle files. Using `mscerts` might result in trusting certificates that are no longer considered trusted in the official Microsoft store for specific use cases. For most general purposes, `certifi` (Mozilla's CA bundle) is often recommended, unless explicit adherence to the Microsoft store is a strict requirement for your application (e.g., specific internal enterprise scenarios or projects like `signify`).
Fix: Be aware of the nuances of CA trust when using static bundles. Consider whether `certifi` is a more appropriate choice for broader compatibility and general web trust. If `mscerts` is essential, understand that its trust might not perfectly align with real-time Windows system trust.
gotcha The `mscerts` package acts as a direct mirror of the Microsoft CA store and does not support any programmatic addition, removal, or modification of its contained CA trust store content. Its contents are entirely determined by Microsoft's releases.
Fix: Do not attempt to modify the `cacert.pem` file provided by `mscerts` directly. If custom certificates are needed, you will need to manage your own certificate trust store or combine `mscerts` with other certificates as required by your HTTP client or SSL/TLS library.

Install

pip install mscerts Install latest version

Imports

mscerts
```
import mscerts
```
where
```
mscerts.where()
```

Quickstart

The primary use case for `mscerts` is to retrieve the file path to the Microsoft Root CA bundle, which can then be used by other libraries (like `requests`) for SSL/TLS verification. You can also get the path from the command line.

import mscerts

# Get the path to the Microsoft CA bundle file
ca_bundle_path = mscerts.where()
print(f"Microsoft CA bundle located at: {ca_bundle_path}")

# Example of how you might use it with the requests library
# (Note: requests often automatically finds system/certifi bundles)
# import requests
# try:
#     response = requests.get('https://example.com', verify=ca_bundle_path)
#     print(response.status_code)
# except requests.exceptions.RequestException as e:
#     print(f"Request failed: {e}")

view raw JSON →