TFS 2017 On-Premises and Git over SSL

If your TFS server is using a certificate from an Active Directory based Certificate Server and you decide to use Git for version control choice you will quickly find out the certificate will not be trusted by Visual Studio or Git.exe when you attempt to Clone a Repository.  Those Team Foundation Version Control (TFVC) users have it so easy… 😛

You will get an error like this:

C:\Users\Wes\Source\Repos\PPPE>git clone https://tfs.like10.local/tfs/DefaultCollection/DPI-CIO/_git/PPPE

Cloning into ‘PPPE’…

fatal: unable to access ‘https://tfs.like10.local/tfs/DefaultCollection/DPI-CIO/_git/PPPE/’: SSL certificate problem: unable to get local issuer certificate

You could disable SSL certificate validation in Git, but that is definitely not the preferred option otherwise why would your organization be using SSL.  It is possible to add your corporate certificate to git.exe’s certificate store.  First, let’s export the certificate.  If you happen to be using Edge on Windows 10 you will quickly notice you cannot view the SSL certificate.  Click the ellipsis in the Edge toolbar and select Open with Internet Explorer.

Once you have your TFS website open in Internet Explorer click the lock icon to the right of the address bar and click on the View certificates link and go to the Certification Path tab.  Select the top most certificate which will be the root certificate for your organization and click View Certificate and go to the Details tab.

Click on the Copy to File… button to launch the Certificate Export Wizard.  Once in the wizard click Next, on the Export File Format page choose Base-64 encoded X.509 (.CER) then click Next.

NOTE:  If the Copy to File… button appears disabled try launching Internet Explorer 11 as Administrator.

Finally, save the certificate in your documents folder or on the desktop, we will need to get to the contents of this file shortly.

Open a Developer Command Prompt so we can switch the Git certificate store to one that you control.  Git for Windows uses the following text file as its’ root certificate store “C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt”.  We will make a copy of this file and place it in our home directory by executing the following command.

copy “C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt” %userprofile%

This file is just a text file with all of the certificates that Git trusts, now that we have our own copy we can append our root certificate that we saved earlier to the end of it.  This file will not display properly in notepad so I’ll use Notepad++ instead to edit the file.

Using Notepad++ open the root certificate you exported earlier, copy and paste the entire contents to the end of the ca-bundle.crt file and click Save.

We must now configure Git.exe to use this new copy of the ca-bundle.crt as the source of trusted certificates.  At the developer command prompt execute the following command:

git config –global http.sslCAInfo C:/users/Wes/ca-bundle.crt

Note: The path will be different for your home directory.  Make sure you use two dashes before the keyword global and forward slashes in the file path.

You can now start Visual Studio 2017 and Clone a Git Repository over SSL!