WSL Trust Store Integration

When corporate SSL inspection (Cisco Umbrella, Zscaler) breaks WSL tools, you need to export the corporate CA from Windows and import it into WSL’s trust store.

The Problem

Corporate networks often use SSL inspection (MITM proxies). This means:

  1. All HTTPS traffic is decrypted and re-encrypted by the proxy

  2. The proxy presents its own certificate, signed by a corporate CA

  3. Windows trusts this CA (pushed via GPO)

  4. WSL does NOT inherit the Windows trust store

Result: curl, git, and other tools fail with:

SSL certificate verify result: unable to get local issuer certificate (20)

Solution: Export CA from Windows to WSL

Step 1: Find the Corporate CA

# List all root CAs
Get-ChildItem {cert-store-root} | Format-Table Subject, Thumbprint, NotAfter

# Find Cisco Umbrella specifically
Get-ChildItem {cert-store-root} | Where-Object { $_.Subject -match "Umbrella" } | Format-List *

# Or search for any corporate/proxy CA
Get-ChildItem {cert-store-root} | Where-Object {
    $_.Subject -match "Umbrella|Zscaler|Corporate|Proxy|Firewall"
}

Step 2: Export to PEM Format

Linux expects PEM format (Base64 with BEGIN/END markers):

# Get the certificate
$cert = Get-ChildItem {cert-store-root} | Where-Object { $_.Subject -match "Umbrella" }

# Export to PEM
[System.IO.File]::WriteAllText("C:\temp\cisco-umbrella-ca.crt", `
    "-----BEGIN CERTIFICATE-----`n" + `
    [Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks') + `
    "`n-----END CERTIFICATE-----")

# Verify export
Get-Content C:\temp\cisco-umbrella-ca.crt

Step 3: Import to WSL Trust Store

Arch Linux (WSL)

sudo cp /mnt/c/temp/cisco-umbrella-ca.crt /etc/ca-certificates/trust-source/anchors/
sudo update-ca-trust

Debian/Ubuntu (WSL)

sudo cp /mnt/c/temp/cisco-umbrella-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

RHEL/Fedora (WSL)

sudo cp /mnt/c/temp/cisco-umbrella-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Step 4: Verify

# Test with curl
curl -vI https://git.sr.ht 2>&1 | grep -E "(SSL|verify|issuer)"

# Should show: SSL certificate verify ok
# Instead of: unable to get local issuer certificate

One-Liner (PowerShell + WSL)

If you know the CA name:

# PowerShell: Export Umbrella CA to temp
$cert = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -match "Umbrella" }
[System.IO.File]::WriteAllText("C:\temp\corp-ca.crt", "-----BEGIN CERTIFICATE-----`n" + [Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks') + "`n-----END CERTIFICATE-----")
# WSL (Arch): Import and update trust
sudo cp /mnt/c/temp/corp-ca.crt /etc/ca-certificates/trust-source/anchors/ && sudo update-ca-trust

Troubleshooting

Certificate Not Found

If Where-Object { $_.Subject -match "Umbrella" } returns nothing:

# List ALL root CAs - look for corporate/proxy names
Get-ChildItem {cert-store-root} | Select-Object Subject | Sort-Object Subject

Still Failing After Import

Check if git is using the system trust store:

# Check git SSL config
git config --global --get http.sslCAInfo

# If set to a specific file, either:
# 1. Append corporate CA to that file
# 2. Unset to use system store
git config --global --unset http.sslCAInfo

Quick Workaround (Not Recommended)

For a single host, disable SSL verification:

# Per-host workaround only
git config --global http.https://git.sr.ht.sslVerify false
This bypasses SSL verification for that host. Proper fix is importing the CA.

Related

  • Linux Certificate Operations (linux-ops) - OpenSSL commands