Overview
This article shows how to make command-line tools and developer frameworks trust the Cato Networks TLS Inspection certificate, so HTTPS works without errors while traffic is inspected. It covers how to install the Cato certificate system-wide and how to point specific tools to the certificate when they don’t use the OS trust store.
In all examples below, replace /path/to/CatoNetworksTrustedRootCA.pem with the actual path for your environment.
Install the Certificate System-Wide (Recommended)
Installing the Cato Root CA in the host OS lets most apps trust inspected traffic automatically. You can install the Cato Root CA as described in How to Install the Cato Certificate.
If something doesn’t work as expected, you can manually add the Cato Root CA to the OS trust store. For more information about installing the Cato certificate, see the relevant article:
Combined Certificate Bundle (For Tools That Override the Trust Bundle)
Some tools override the CA trust bundle instead of extending it, meaning they actually delete all the certificates that were there before. To ensure these tools trust both public websites and Cato-inspected traffic, create a combined bundle that includes the OS trusted root certificates plus the Cato Root CA.
Recommendation: Install the Cato Root CA in the system store. Use a combined bundle only for tools that require a single CA file.
Maintenance tip: Rebuild the combined bundle periodically (for example, monthly or after OS trust updates).
Windows (PowerShell)
# Run in elevated PowerShell
$dest="$env:ProgramData\CatoNetworks\TLS\cato_combined_ca.pem"; $destDir=Split-Path $dest; New-Item -ItemType Directory -Force -Path $destDir | Out-Null; Get-ChildItem Cert:\CurrentUser\Root, Cert:\LocalMachine\Root, Cert:\CurrentUser\CA, Cert:\LocalMachine\CA | Sort-Object Thumbprint -Unique | ForEach-Object { "-----BEGIN CERTIFICATE-----"; [System.Convert]::ToBase64String($_.RawData,'InsertLineBreaks'); "-----END CERTIFICATE-----"; "" } | Out-File -Encoding ascii $dest; Write-Host "Combined bundle written to: $dest"Output path: C:\ProgramData\CatoNetworks\TLS\cato_combined_ca.pem
macOS
sudo mkdir -p "/Library/Application Support/CatoNetworks/TLS"
security find-certificate -a -p \
/System/Library/Keychains/SystemRootCertificates.keychain \
/Library/Keychains/System.keychain \
> /tmp/cato_combined_ca.pem && \
sudo install -m 0644 /tmp/cato_combined_ca.pem \
"/Library/Application Support/CatoNetworks/TLS/cato_combined_ca.pem"Output path: /Library/Application Support/CatoNetworks/TLS/cato_combined_ca.pem
Linux
Concatenate the OS bundle with the Cato CA to produce a single file.
Debian/Ubuntu:
sudo bash -c 'cat /etc/ssl/certs/ca-certificates.crt > /etc/ssl/certs/cato_combined_ca.pem'Output path: /etc/ssl/certs/cato_combined_ca.pem
RHEL/CentOS/Alma/Rocky:
sudo bash -c 'cat /etc/pki/tls/certs/ca-bundle.crt > /etc/pki/tls/certs/cato_combined_ca.pem'Output path: /etc/pki/tls/certs/cato_combined_ca.pem
Tool-Specific Configurations
Some tools ignore the OS trust store or run in environments where it’s not available. In these cases, explicitly configure them to use the Cato CA or the combined bundle.
General Variable Setting Syntax
Linux/macOS:
export VARIABLE_NAME=/path/to/fileor for a permanent solution:
echo 'export VARIABLE_NAME=/path/to/file' >> ~/.zshrc or ~/.bashrc
source ~/.zshrc or ~/.bashrcWindows CMD
set VARIABLE_NAME=C:\path\to\fileor for a permanent solution:
Run setx VARIABLE_NAME "C:\path\to\file" and then reopen the CMD window.
Windows PowerShell
$env:VARIABLE_NAME="C:\path\to\file"For a permanent solution for the current user:
Run
setx VARIABLE_NAME "C:\path\to\file"and then reopen the CMD window.For a permanent solution for all users on the device:
Run
[System.Environment]::SetEnvironmentVariable("VARIABLE_NAME", "C:\path\to\file", "Machine")
Python (Requests, AWS CLI, Azure CLI, Gcloud CLI)
Python tools often use certifi, which ships its own CA bundle (separate from the OS trust store).
Recommended General Python Fix
macOS or Linux – set the REQUESTS_CA_BUNDLE variable to the combined bundle (instructions above Combined Certificate Bundle (For Tools That Override the Trust Bundle)).
Windows – run
pip install pip-system-certsto make Python use the Windows trust store directly.
Tool-Specific Python Fix
Only for macOS/Linux, you can either append the Cato Root CA to the tool’s certifi bundle, or point its CA variable to the combined bundle.
Azure CLI (macOS/Linux)
Append the Cato Root CA to the certifi bundle shipped with the CLI. To find Cerifi’s bundle location, run the following command:
$(az --version 2>&1 | awk -F"'" '/Python location/ {print $2}') -m certifiAWS CLI / Boto (MacOS/Linux)
Set the variable:
AWS_CA_BUNDLE=/path/to/cato_combined_ca.pemOr add this line to the config file (~/.aws/config)
ca_bundle = /path/to/cato_combined_ca.pemGcloud CLI
Append the Cato Root CA to the certifi bundle shipped with the SDK:
~/google-cloud-sdk/platform/bundledpython*/lib/python*/site-packages/certifi/cacert.pemNote: Paths may vary depending on how you installed the tool. If you don’t see certifi/cacert.pem in these locations, search inside the tool’s directory.
OpenSSL (Curl, Composer, Ruby/Fastlane)
Many tools (such as Curl, Composer, and Ruby/Fastlane) rely on OpenSSL for TLS. By default, OpenSSL reads the system CA bundle on Linux, but on macOS (Homebrew OpenSSL) and Windows, it uses its own CA files instead of the OS trust store.
Recommeded General OpenSSL Fix
Set the SSL_CERT_FILE variable to the combined bundle.
Tool Specific OpenSSL Fix
If needed, configure each OpenSSL-based tool to point to the combined bundle, or append the Cato Root CA into the OpenSSL certs directory and run c_rehash.
Curl
For built-in curl on macOS (SecureTransport), Windows (Schannel), and most Linux builds (OpenSSL/LibreSSL), no additional configuration is required. These builds already use the OS trust store.
To confirm which TLS library curl is using, run: curl --version
For OpenSSL/LibreSSL builds that don’t use the OS store, explicitly set the variable CURL_CA_BUNDLE to point to the combined bundle file (using the syntax explained above).
Composer (PHP)
Configure Composer to use the combined bundle: composer config -g cafile /path/to/cato_combined_ca.pem
Ruby, Bundler, and Fastlane
Configure Ruby/Fastlane to trust the combined bundle: bundle config --global ssl_ca_cert /path/to/cato_combined_ca.pem
Node.js and npm
Node.js and npm handle certificate stores differently depending on the OS.
Windows - Node.js often uses the system store, so installing the Cato Root CA system-wide is usually enough.
Linux/macOS - Node.js typically uses its own CA bundle, which does not include the Cato Root CA.
Node.js
If you encounter TLS errors, configure Node.js to trust the Cato Root CA:
Set the NODE_EXTRA_CA_CERTS variable to point to the Cato Root CA file (not the combined bundle):
export NODE_EXTRA_CA_CERTS=/path/to/CatoNetworksTrustedRootCA.pem
This variable tells Node.js to trust the additional CA on top of the built-in ones.
npm
npm requires the combined bundle instead of a single CA file. Configure npm as follows:
npm config set cafile "/path/to/cato_combined_ca.pem"
This ensures npm trusts both the Cato Root CA and public root CAs.
Java (Maven, Gradle, JDBC, etc...)
Java uses its own trust store file called cacerts. To enable TLS inspection, import the Cato Root CA into this store.
The default password for cacerts is changeit.
Linux/macOS
sudo keytool -importcert -noprompt \
-alias cato-root-ca \
-file /path/to/CatoNetworksTrustedRootCA.pem \
-keystore $JAVA_HOME/lib/security/cacerts \
-storepass changeitWindows (PowerShell)
keytool -importcert -noprompt `
-alias cato-root-ca `
-file "C:\path\to\CatoNetworksTrustedRootCA.pem" `
-keystore "C:\Program Files\Java\jdk-17\lib\security\cacerts" `
-storepass changeitAll Java-based tools (such as Maven, Gradle, JDBC drivers, Salesforce Apex Data Loader) will trust the Cato CA once it’s added to the cacerts store.
Docker
Docker consists of two parts: the engine/daemon on the host and any images/containers.
The Docker engine uses the host OS trust store, so installing the Cato Root CA system-wide is sufficient.
For images, you must import the Cato Root CA into the container.
Debian/Ubuntu-Based Images:
COPY CatoNetworksTrustedRootCA.pem /usr/local/share/ca-certificates/cato-root-ca.crt
RUN update-ca-certificatesRHEL/CentOS-Based Images:
COPY CatoNetworksTrustedRootCA.pem /etc/pki/ca-trust/source/anchors/
RUN update-ca-trustThis ensures applications inside the container can trust Cato-inspected TLS traffic.
Go
Go has its own TLS implementation, but by default, it relies on the OS trust store. Installing the Cato Root CA system-wide is usually sufficient.
In some cases (for example, in CI/CD pipelines or containers), you may need to override the trust configuration explicitly by setting the variable SSL_CERT_FILE to point to the combined bundle file.
Android Studio
Android Studio uses its own cacerts trust store inside the bundled JDK. To enable TLS inspection, import the Cato Root CA into that store. The default password is changeit.
Linux/macOS
sudo keytool -importcert -noprompt \
-alias cato-root-ca \
-file /path/to/CatoNetworksTrustedRootCA.pem \
-keystore $ANDROID_STUDIO_JDK/lib/security/cacerts \
-storepass changeitWindows (PowerShell)
keytool -importcert -noprompt `
-alias cato-root-ca `
-file "C:\path\to\CatoNetworksTrustedRootCA.pem" `
-keystore "C:\Program Files\Android\Android Studio\jre\lib\security\cacerts" `
-storepass changeitGit
Git normally uses the OS trust store. If the Cato Root CA is installed system-wide, no additional configuration is needed.
If Git fails to trust the Cato Root CA, configure it explicitly to use the combined bundle:
git config --global http.sslCAInfo /path/to/cato_combined_ca.pem