Custom SSL Certificate with fossa-cli

Point the CLI at custom root certificate stores for TLS in locked-down networks.

1 min readUpdated Jul 9, 2026

Custom SSL Certificate with fossa-cli

fossa-cli uses the path provided in the following environment variable to infer root certificate store:

  1. SSL_CERT_FILE
  2. SSL_CERT_DIR
  3. SYSTEM_CERTIFICATE_PATH (only for linux)

If none of these environment variables are provided, fossa-cli uses a system store to retrieve signed certificates.

Linux

fossa-cli looks for certificate store in the following paths:

  • /etc/ssl/certs/
  • /system/etc/security/cacerts/
  • /usr/local/share/certs/
  • /etc/ssl/cert.pem

macOS

fossa-cli creates a certificate store by finding all signed certificates.

We use following command to retrieve all signed certificates: security find-certificate -pa /System/Library/Keychains/SystemRootCertificates.keychain /Library/Keychains/System.keychain

Windows

fossa-cli retrieves certificates store by performing,

From which, CertEnumCertificatesInStore perform until exhaustion to retrieve all signed certificates.

Recommendations

We recommended that you leverage the operating system's certificate store instead of using environment variables.

Examples

In Windows:

$Env:SSL_CERT_FILE = "\path\to\rootCa"
fossa analyze

In Linux:

SSL_CERT_FILE=path/to/rootCa fossa analyze

In Osx:

SSL_CERT_FILE=path/to/rootCa fossa analyze
© 2026 FOSSA, Inc.support@fossa.com