Git for Windows with TFS and SSL behind a proxy

If you run your TFS on prem and use git for windows you may run into two issues. The first occurs if you use SSL for your TFS. The second occurs if you are behind a proxy.

Use Git for Windows with a corporate SSL certificate

If you have a corporate SSL certificate and want to clone your repo from the console or VSCode you get the following error:

fatal: unable to access ‘https://myserver/tfs/DefaultCollection/_git/Proj/’: SSL certificate problem: unable to get local issuer certificate

The solution is described in MSDN article. It is outdated – that’s why I will explain it here. Export your root Certificate to a file. You can do this from within your browser. Open your TFS, click the lock symbol right to the url, and click view certificate. In the tab “Cerification Path” select the root and click view certificate again.


In the “Details” tab is a button to export the certificate. Use Base-64 encoded X.509 and save it to a file anywhere on your disk.


Locate the “ca-bundle.crt” file in your git folder (current version C:\Program Files\Git\usr\ssl\certs but is has changed in the past). Copy the file to your user profile. Open it with a text editor like VSCode and add the content of your exported certificate to the end of the file.


Now we have to configure git to use the new file:

git config --global http.sslCAInfo C:/Users/<yourname>/ca-bundle.crt

This will add the following entry to your .gitconfig file in the root of your user profile.

    sslCAInfo = C:/Users/<yourname>/ca-bundle.crt

Use Git for Windows behind a proxy

If you are behind a proxy, it is pretty easy and well documented how you configure git to use it. The problem is that after that you cannot access your local TFS server. For that to work you have to add an exception for your local URL.

Open the .gitconfig file in the root of your user profile. Locate the http section. If your TFS uses SSL and you followed step one you should already have an entry with an sslCAInfo item. Add the url of your TFS to the section had and add a new section without the url. Add a proxy item to both items. Leave it blank for the entry that has your TFS url in it.

    proxy = ""
[http ""]
    proxy = ""
    sslCAInfo = C:/Users/<yourname>/ca-bundle.crt


That’s it. Now you can work with repos in your company network and in the internet. This is true for all kind of git repos – not only TFS.

21 thoughts on “Git for Windows with TFS and SSL behind a proxy

  1. BTW good news! If you install a newer Git for Windows version and select “Secure Channel” as HTTPS backend instead of OpenSSL, it should work already after installing the certificate into your “Trusted Root Certification Authorities” Credential Store.

    1. I installed git for windows version with “use the native windows secure channel library” selected and the self signed certs already pushed to trusted root certification authorities folder and intermediate certification authorities folder. Still got the same error when trying to clone with Visual Studio 2017 (not console or VS Code).

  2. Many many thanks for this.

    Minor typo:
    git config –global http.sslCAInfo C:/Users//ca-bundle.crt

    (web editor seems to change two minuses into a long hyphen)

  3. Doh, anyways, don’t copy paste the above line, and make sure you type two minuses instead of the long hyphen there (though not a mistake seasoned git veterans would make 😉

  4. I’m sorry but it does not work to me.
    I’m using a Corporate/Self Signed certificate that is placed under “Trusted Root Certification Authorities”.
    I installed Git for Windows using “Windows Secure Channel Library” and I got “SSL certificate problem: unable to get local issuer certificate” error message.

    I followed this guide and proceeded but now with git config –global http.sslCAInfo C:/Users//ca-bundle.crt
    I see two ../ca-bundle.crt
    One is there, and there is another one under C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt.
    I modified also this crt including the content of the extracted self-signed certificate.
    So basically they are the same file.
    I also modified the crt under Visual Studio Git installation (path: C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw32\ssl\certs)

    But yet I wasn’t able to clone repository.
    Any other ideas?

    1. Locate the .gitconfig in your user profile and check the sslCAInfo path in the http section. In this crt file your root certificate must be correct (with start and end section). This still works after updating git for windows. If this doesen’t work you can try the method of schindelin and reinstall git for windows and choose “Secure Channel”. I havn’t tried that yet.

Leave a Reply to tbmreza Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s