Added in version 1.3.
By default, pip will perform SSL certificate verification for networkconnections it makes over HTTPS. These serve to prevent man-in-the-middleattacks against package downloads.
Using a specific certificate store¶
The --cert option (and the corresponding PIP_CERT environment variable)allow users to specify a different certificate store/bundle for pip to use. Itis also possible to use REQUESTS_CA_BUNDLE or CURL_CA_BUNDLE environmentvariables.
Using system certificate stores¶
Added in version 24.2.
Note
Versions of pip prior to v24.2 did not use system certificates by default.To use system certificates with pip v22.2 or later, you must opt-in using the --use-feature=truststore CLI flag.
On Python 3.10 or later, by defaultsystem certificates are used in addition to certifi to verify HTTPS connections.This functionality is provided through the truststore package.
If you encounter a TLS/SSL error when using the truststore feature you shouldopen an issue on the truststore GitHub issue tracker instead of pip’s issuetracker. The maintainers of truststore will help diagnose and fix the issue.
To opt-out of using system certificates you can pass the --use-deprecated=legacy-certsflag to pip.
Warning
On Python 3.9 or earlier, only certifi is used to verify HTTPS connections astruststore requires Python 3.10 or higher to function.
The system certificate store won’t be used in this case, so some situations like proxieswith their own certificates may not work. Upgrading to at least Python 3.10 or later isthe recommended method to resolve this issue.
