Netskope Global Technical Success (GTS)
Using AZURE CLI with Netskope: Handling SSL Certificate Errors in Windows 11 with AZURE CLI
Netskope Cloud Version - 126
Objective
Provide the necessary steps to resolve the SSL error when using AZURE CLI on Windows 11 with the Netskope client enabled.
Prerequisite
Use AZURE CLI through CMD on Windows 11. NGSWG must be enabled as part of the licensing. Netskope Client should be enabled.
Context
SSL certificate errors occur when running AZURE CLI commands with the Netskope agent active.
Configuration
With the Netskope client enabled, certificate errors occur when using AZURE CLI with certain commands, as shown below:
If the agent is disabled, the errors disappear and the tool works correctly. The process is based on the Netskope documentation article:
To avoid issues with this configuration, please temporarily disable the Netskope Client’s resource protection feature (“Protect Client configuration and resources”) by following the recommendations here: https://docs.netskope.com/en/netskope-client-configuration/ (refer to the “Tamperproof – Protect Client configuration and resources” section). You can re-enable this setting once the configuration process is completed.
The first step is to open a text editor that allows you to create a new .PEM file. In this file, you will combine the certificate from the following path:
C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem (for 64-bit Windows), and the Netskope certificate.
It’s important to review Microsoft’s article: https://learn.microsoft.com/en-us/cli/azure/use-azure-cli-successfully-troubleshooting?view=azure-cli-latest#work-behind-a-proxy to check the correct certificate path for 32-bit Windows, other distributions, and operating systems.
Essentially, copy the full contents of the Azure certificate file mentioned above into your new .pem file, and then append the contents of the Netskope certificate located at:
%ProgramData%\Netskope\STAgent\data\nscacert.pem
The final combined certificate should start with the Azure certificate content, and end with the Netskope certificate content.
The beginning of the file is an exact copy of the Azure certificate.
The end of the file will be the addition of the Netskope certificate, as shown in the image.
Then make sure to save this file in the .PEM format. It can be saved in the following path:
C:\ProgramData\netskope\stagent - or in a path of your preference.
After that, you need to set the REQUESTS_CA_BUNDLE environment variable globally to point to the new certificate. Open a CMD window as administrator and run the following command:
- setx REQUESTS_CA_BUNDLE "C:\ProgramData\netskope\stagent\nscacert_combined.pem" /M
Close this CMD window and open a new one as administrator as well. Make sure that the Netskope agent is enabled and the configuration is up to date. After this, you should be able to run Azure CLI commands in the CMD without encountering certificate issues.
Important:
This configuration should persist across AZURE CLI version changes since it sets a Windows environment variable. It’s important to note that the combined .pem certificate must not be moved or modified—doing so would cause the variable to point to an invalid location, resulting in certificate errors again. As of the time of execution, Azure CLI version 2.74.0 is being used. This behavior will be confirmed again as soon as a new version is released.
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
