Git on Windows fails with 'unable to get local issuer certificate' using HTTPS and self-signed certificate
Git for Windows uses cURL with its own certificate bundle (curl-ca-bundle.crt) rather than the Windows system certificate store, causing HTTPS SSL verification failures even when a self-signed certificate is trusted by Windows. The root cause is typically that IIS Manager's built-in 'Create Self Signed Certificate' produces a leaf certificate with no valid issuer chain that cURL cannot validate. The fix requires creating a proper two-tier CA root certificate, using it to issue a server authentication certificate, and appending the PEM-encoded CA root to a private copy of curl-ca-bundle.crt referenced by Git config.
Indicators
- Git HTTPS operations fail with 'SSL Certificate problem: unable to get local issuer certificate'
- Git HTTPS fails while HTTP access to the same repository works without error
- Browser (Internet Explorer/Edge) can access the HTTPS repository without certificate warnings
- Certificate is visible in Windows Trusted Root Certification Authorities store but Git still rejects it
- Git continues to fail even after the certificate is pasted into curl-ca-bundle.crt
Likely causes
- cURL (used internally by Git for Windows) does not read the Windows system certificate store and relies solely on its own curl-ca-bundle.crt file
- IIS Manager 'Create Self Signed Certificate' generates a single leaf certificate that acts as both root and end-entity, providing no issuer chain that cURL can validate
- The self-signed certificate was not exported in correct PEM format before being appended to curl-ca-bundle.crt
- Git http.sslCAInfo config points to the wrong or unmodified curl-ca-bundle.crt file
- A custom curl-ca-bundle.crt was created but Git was not reconfigured to reference it
Diagnostic steps
-
Confirm Git is using HTTPS: run 'git remote -v' in the repository directory and verify the remote URL begins with 'https://'
-
Check which certificate bundle Git is using: run 'git config --global http.sslCAInfo' and note the full file path returned
-
Temporarily rename the curl-ca-bundle.crt file identified above and retry a Git operation — confirm Git reports the bundle as missing, proving it is the active trust source
-
Clone a known public HTTPS repository (e.g., github.com) to confirm base Git/cURL SSL functionality is working correctly before investigating the internal certificate
-
Inspect the server certificate: open IIS Manager, navigate to Server Certificates, and check whether the certificate was created using 'Create Self Signed Certificate' — these certificates have no issuer chain and are incompatible with cURL validation
-
Export the server certificate in PEM format and open it in a text editor — verify it begins with '-----BEGIN CERTIFICATE-----' and ends with '-----END CERTIFICATE-----' before appending to curl-ca-bundle.crt
Resolution path
- Do not use IIS Manager's 'Create Self Signed Certificate' for this purpose — it produces a cURL-incompatible leaf certificate with no issuer chain
- Create a self-signed CA Root certificate using makecert.exe or OpenSSL: e.g., 'makecert -n "CN=MyDevCA" -r -pe -a sha256 -len 2048 -cy authority -sv MyDevCA.pvk MyDevCA.cer'
- Install the CA Root certificate into the Windows Trusted Root Certification Authorities store via certmgr.msc
- Use the CA Root certificate to issue a Server Authentication certificate for the IIS server hostname
- Install the Server Authentication certificate in IIS and bind it to the HTTPS site
- Export the CA Root certificate in PEM format (Base-64 encoded .cer) from certmgr.msc
- Locate the active curl-ca-bundle.crt path using: 'git config --global http.sslCAInfo'
- Copy curl-ca-bundle.crt to a private location (e.g., C:\certs\curl-ca-bundle.crt) to avoid overwrite on Git updates
- Append the PEM-encoded CA Root certificate to the private curl-ca-bundle.crt file
- Configure Git to reference the private bundle: 'git config --global http.sslCAInfo "C:/certs/curl-ca-bundle.crt"'
- Retry Git HTTPS operations (e.g., 'git clone' or 'git pull') to confirm the SSL error is resolved
Prevention
- Always use a two-tier certificate approach for development: a CA root certificate that issues a separate server authentication certificate, never a single self-signed leaf certificate
- Use makecert, OpenSSL, or mkcert instead of IIS Manager's built-in 'Create Self Signed Certificate' for any certificate that must be trusted by non-Windows SSL stacks
- Maintain a standard private curl-ca-bundle.crt containing all internal CA certificates and distribute it as part of developer workstation provisioning
- Configure Git's http.sslCAInfo to point to the managed private bundle during developer onboarding so HTTPS to internal repositories works from day one
- Document all internal CA root certificates in the PKI register and include them in endpoint management tooling (e.g., Intune or Group Policy) so trust is distributed automatically
Tools
- Git for Windows (msysGit)
- cURL
- curl-ca-bundle.crt
- makecert.exe (Windows SDK)
- OpenSSL (alternative CA/cert generation)
- mkcert (modern alternative for locally-trusted development certificates)
- IIS Manager
- Windows Certificate Manager (certmgr.msc)