Behind a firewall, using chrome, I am able to access a github repository like so: https://github.com/Squirrel/Squirrel.Windows

Chrome uses our certificate for this access. If I try to access the same url using GitExtensions, I get this error:

SSL certificate problem: self signed certificate in certificate chain

Can I cause GitExtensions to use our certificate to allow access?

EDIT: more info:

On my machine, I don’t see mysysGit, but I do see mingw/curl, so I assume Git is using these. These apparently do not use Windows trust certificates when building the certificate chain. The error that I get, SSL certificate problem: self signed certificate in certificate chain, indicates that the root certificate used by Git/Github is not present in the built-in certificate authority (CA) root bundle. As @Akber Choudhry has pointed out, the CA certificate that is the root of the chain of the certs served by Github SSL server is DigiCert High Assurance EV Root CA and I do see that CA in C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt.

To verify that the problem is with Git, not GitExtensions, I did this on the command line:

 >>git clone https://github.com/Squirrel/Squirrel.Windows.git

And received the same SSL certificate problem error.

It gives the appearance that Git is not using this certificate, thus I tried configuring Git like so:

>>git config --system http.sslcainfo "C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt"

but this had no effect..

  • What certificate is actually being used? what location are you connecting to? and are you 100% sure your not getting MitM'ed?
    – LvB
    Commented Jun 23, 2016 at 13:56
  • We are not getting MitM'ed. I'm not the network guy here, but I do believe the certificate is one that has been purchased. I don't know what you mean when you ask what location is being connected to. Commented Jun 23, 2016 at 14:00
  • talk to the network guy first, than check your TLS server setup (you can use tools like [ssllabs.com], and learn about how the HTTP(s) protocol actually work . because you assume way to much, and you need to know stuff not assume them.
    – LvB
    Commented Jun 23, 2016 at 14:03
  • I'd suggest checking out GitKraken. I use it for my development
    – Robert Mennell
    Commented Jun 24, 2016 at 21:03

2 Answers 2


Behind a firewall, ...github ... Chrome uses our certificate for this access.

Based on this description I assume that "our" certificate is not the original certificate for Github but that you are using a firewall with SSL inspection which generates its own ("our") certificate to a man in the middle the connection. The CA in the firewall which issued this certificate (proxy CA) is probably added to the Windows Trust Store and this Chrome will trust it.

But Git doesn't use the Windows Trust Store and thus doesn't know about this proxy CA. Therefore you need to add the proxy CA used by the firewall to the CA store for the Git and not the original CA which issued the certificate for Github.

  • I ended up to [doing this] which is: 1. make copy of curl-ca-bundle.crt. 2. Copy/paste the DigiCert High Assurance EV Root CA into this copy. 3. Point Git to this copy. Commented Jun 28, 2016 at 19:27

When you use chrome and access Github over HTTPS, you are just verifying Github's certificate chain against built-in root certs in your browser and in Windows.

Under the covers, Gitextensions uses msysgit, which does not consult Windows trust certificates when building the certificate chain.

From the error, it appears that the root certificate used by Github is not present in the built-in certificate authority (CA) root bundle. This may just be due to Gitextensions bundling an older version of msysgit or curl.

msysgit does include DigiCert High Assurance EV Root CA in its CA bundle and it has been there for a number of years. Search for this string in the file bin/curl-ca-bundle.crt

Check if there is an older version of msysgit or mingw tools installed on your machine. If so, clean out and re-install. Finally, consult msysgit certificate addition procedure if you need to add the certificate.

  • Looking in C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt, I do see that CA. Commented Jun 23, 2016 at 15:14
  • Is mysysgit obsolete? It says at that page that msysGit has been superseded by Git for Windows 2.x. Also, I don't understand how that particular CA (DigiCert High Assurance EV Root CA) is significant. Can you explain? Commented Jun 23, 2016 at 15:18
  • 1
    That CA certificate is the root of the chain of the certs served by github SSL server. If your client (browser or git client) has that root certificate defined, it can validate the origin of the other certificates in the chain. I am not sure where it is picking up the CA bundle from but try wiping it out and installing Git for Windows.
    – Akber Choudhry
    Commented Jun 23, 2016 at 16:48
  • Can you define exactly what you mean by "wiping it out"? i..e what is "it" and how to I wipe it out? Commented Jun 23, 2016 at 16:58
  • 1
    It would depend on your system and path and from where curl gets invoked. I would say that any mingw or msysgit installations should go.
    – Akber Choudhry
    Commented Jun 23, 2016 at 17:15

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .