Python Certifi Win32

1.6.1 · maintenance · verified Mon Apr 13

python-certifi-win32 is a Python package that patches the `certifi` module at runtime to include certificates from the Windows certificate store. This allows applications like `requests` (and tools based on it, such as `pip`) to verify TLS/SSL connections to servers whose Certificate Authorities (CAs) are trusted by the Windows operating system. The package is currently at version 1.6.1, but is generally unmaintained and has been superseded by `pip-system-certs`.

Warnings

breaking The package `python-certifi-win32` is generally unmaintained and has been replaced by `pip-system-certs`. Users are strongly encouraged to migrate to `pip-system-certs` for ongoing support and compatibility, especially with newer Python versions.
Fix: Uninstall `python-certifi-win32` and install `pip-system-certs`: `pip uninstall python-certifi-win32 && pip install pip-system-certs`.
gotcha Installation can lead to `PermissionError: [WinError 32]` errors when running `pip` or other Python commands. This is often caused by `.pth` files left open or in use.
Fix: Locate and delete `python-certifi-win32-init.pth` and `distutils-precedence.pth` files from your Python's `site-packages` directory (e.g., `C:\Users\<username>\AppData\Local\Programs\Python\Python310\Lib\site-packages`). This disables the runtime patching and may require manual certificate handling or migration to `pip-system-certs`.
breaking Version 1.4 and later dropped explicit support for Python 2 due to syntax changes (`return` with argument inside generator). While the PyPI metadata might indicate Python 2 compatibility, it is not functional.
Fix: Use Python 3.4+ or migrate to `pip-system-certs` which explicitly supports modern Python versions.
gotcha When bundling applications with PyInstaller (or similar tools), the automatic runtime patching of `certifi` does not work. Manual intervention is required to integrate Windows certificates.
Fix: Before importing `requests` (or other SSL-aware libraries), explicitly `import certifi_win32`, set `os.environ['REQUESTS_CA_BUNDLE'] = certifi_win32.wincerts.where()`, and call `certifi_win32.generate_pem()`.
gotcha Installing `python-certifi-win32` as a non-admin user on Windows 10 has been reported to cause runtime environment failures, including `PermissionError` during Python startup or when running `pip`.
Fix: Install the package with administrator privileges or, preferably, migrate to `pip-system-certs`.

Install

pip install python-certifi-win32 Using pip
conda install -c conda-forge python-certifi-win32 Using Conda

Imports

certifi_win32
```
import certifi_win32
```
While the core functionality is runtime patching, direct import may be needed for specific scenarios like PyInstaller bundles to manually enable certificate handling.

Quickstart

This quickstart demonstrates how `python-certifi-win32` is intended to work. After installation, it transparently patches `certifi` to include Windows system certificates. When libraries like `requests` make HTTPS calls, they automatically leverage this enhanced certificate store for verification, which is particularly useful in enterprise environments that rely on custom root CAs deployed via Windows Group Policy. The example performs a simple `requests.get` to show a successful secure connection. Explicit imports are typically not needed for runtime patching, but are shown commented for advanced use cases like PyInstaller.

import requests
import sys
import os

print(f"Attempting to make a secure request...")

try:
    # In a Windows environment with python-certifi-win32 installed,
    # this request should implicitly use the combined CA bundle
    # including Windows system certificates.
    response = requests.get("https://www.google.com", timeout=10)
    response.raise_for_status()
    print(f"Successfully connected to Google (Status: {response.status_code})")
    print("This indicates that SSL/TLS verification worked, potentially leveraging Windows system certificates.")
except requests.exceptions.RequestException as e:
    print(f"Error making request: {e}")
    print("If this is on Windows and behind a corporate proxy, python-certifi-win32 aims to resolve such SSL errors by including system CAs.")

# Example of how it might be explicitly used for PyInstaller (not part of typical quickstart)
# if sys.platform == 'win32':
#     import certifi_win32
#     # This sets an environment variable that 'requests' respects to find the CA bundle.
#     os.environ['REQUESTS_CA_BUNDLE'] = certifi_win32.wincerts.where()
#     certifi_win32.generate_pem()
#     print(f"REQUESTS_CA_BUNDLE set to: {os.environ['REQUESTS_CA_BUNDLE']}")

view raw JSON →