I have a git 2.43 for Windows client. It was installed with 'Use the OpenSSL library' option. Then it does not use the operating system key store, but relies on its own ca-boundle.crt and ca-boundle-trust.crt files for certificates. The git server that I need to work with has typical hierarchy of certificate chain:
RootCA -> AppCA -> gitserver
Actually RootCA and AppCA certs are in the OS key store. I used MMC/certmgr to export them in Base64 format to files. Then tried use them in two ways:
providing manually path for exported .crt file as follows:
git config --global http.sslCAInfo <path>\<certfile>
adding contents of the cert file to the git cert file 'ca-boundle.crt'
When I use RootCA only it does not work. When trying to clone repo from the server by https it returns the error:
SSL certificate problem: unable to get local issuer certificate
but if I use AppCA cert file only or gitserver cert file only it succeeds despite that git client does not have any above in chain certificates.
Now my question here is if I do export using MMC/certmgr intermediate certificate or do export of gitserver certificate from the browser then those exported certificates files includes all above certificates together up to the RootCA (complete certificate chain)?