ssl-configure-scripts

Cross-platform scripts that detect popular CLI tools, libraries, and desktop apps and point them at a Netskope SSL-inspection certificate bundle.

Origin: Based on duduke/ssl-configure-scripts. This fork adds coverage for additional dev tools and switches certificate retrieval to work with Netskope Secure Enrollment (tenant API + local STAgent certs) instead of the legacy org-key flow.

Disclaimer: These scripts are based on publicly available Netskope and individual CLI/tool vendor documentation. They are not an official Netskope product and are not supported by Netskope. Use at your own risk.

Each script:

1. Builds a CA bundle at <certDir>/<certName> containing the Netskope tenant CA + the Mozilla root bundle (from curl.se).
2. Detects which supported tools are installed.
3. For each tool, sets the appropriate env var or runs the tool's config command.
4. Writes a replay script (configured_tools.sh / configured_tools.bat) alongside the bundle for silent deployment to other machines.

Scripts

Platform	Script	Cert source
macOS	configure_tools_mac.sh	Netskope API (Bearer token) or local STAgent certs
Linux	configure_tools_linux.sh	Netskope API (Bearer token) or local STAgent certs
Windows	configure_tools_windows.cmd (launcher) + configure_tools_windows.ps1	Netskope API (Bearer token) or local STAgent certs
Any (Python)	universal_configure_tools.py	Netskope API (Bearer token) or local STAgent certs

If the Netskope client is installed locally, the script will offer to use nscacert.pem / nstenantcert.pem directly instead of calling the API. Otherwise you need a tenant Bearer token with permission to read /api/v2/services/certs/subordinates.

Prerequisites

• macOS / Linux: python3, curl, and openssl on PATH
• Windows: PowerShell 5.1 (ships with Windows 10+) or PowerShell 7+ (pwsh). The Windows path is implemented entirely in PowerShell — no python3 or curl required. The .cmd file is a thin launcher that forwards to configure_tools_windows.ps1.

Usage

macOS

chmod +x configure_tools_mac.sh
./configure_tools_mac.sh

Linux

chmod +x configure_tools_linux.sh
./configure_tools_linux.sh

Windows

configure_tools_windows.cmd

Prompts

Each script asks for:

• Tenant name — e.g. tenant-name.goskope.com
• Bundle filename — default netskope-cert-bundle.pem
• Bundle directory — default ~/netskope (Unix) or C:\netskope (Windows)
• API Bearer token — skipped if a local Netskope STAgent install is detected and accepted, or if NETSKOPE_API_TOKEN is set in the environment

Silent re-deployment

Each run emits a replay script next to the bundle:

• macOS / Linux: source <certDir>/configured_tools.sh — must be sourced so export lines persist.
• Windows: run <certDir>\configured_tools.ps1 — re-invokes configure_tools_windows.ps1 with -NonInteractive against the existing bundle (no tenant prompt, no API token required). The main .ps1 is copied next to the bundle so the deploy folder is self-contained; copy the bundle, configure_tools_windows.ps1, and configured_tools.ps1 to another machine and run the replay script.

Copy the bundle and the replay script to another machine to reproduce the same configuration without re-prompting.

Tools configured

Where a tool honors an environment variable, the script exports it in the user's shell config (~/.bash_profile, ~/.bashrc, ~/.zshenv) or via setx on Windows. Where the tool has a native config command, the script runs it directly.

Tool	How it's configured
Git	git config --global http.sslCAInfo (Windows) / GIT_SSL_CAINFO env var (Unix)
OpenSSL	SSL_CERT_FILE env var
cURL	CURL_CA_BUNDLE env var
Python Requests / Azure CLI	REQUESTS_CA_BUNDLE env var
Python pip	PIP_CERT env var
AWS CLI	AWS_CA_BUNDLE env var
Google Cloud CLI	gcloud config set core/custom_ca_certs_file
Node.js	NODE_EXTRA_CA_CERTS env var
npm	npm config set cafile
Yarn	yarn config set httpsCaFilePath
Claude CLI	NODE_EXTRA_CA_CERTS env var
Netskope CLI (ntsk / netskope)	NETSKOPE_CA_BUNDLE + SSL_CERT_FILE + REQUESTS_CA_BUNDLE + CURL_CA_BUNDLE env vars (ntsk hits raw ssl/urllib paths, so all four are needed when openssl/curl/python aren't on PATH)
Ruby	SSL_CERT_FILE env var
PHP Composer	composer config --global cafile
Oracle Cloud CLI	OCI_CLI_CA_BUNDLE env var
Cargo (Rust)	CARGO_HTTP_CAINFO env var
Azure Storage Explorer	Copies bundle into the app's certs/ directory
Claude Desktop	Detect-only — Electron reads NODE_EXTRA_CA_CERTS from the user environment at launch (set by setx on Windows; macOS GUI apps may need launchctl setenv)
VS Code / VS Code Insiders / Cursor	Adds NODE_EXTRA_CA_CERTS to terminal.integrated.env.* in settings.json

Note: Go (crypto/x509) picks up SSL_CERT_FILE automatically — it's already set by the OpenSSL entry, so there's no separate Go step.

Notes

• New shells only — setx (Windows) and shell-config exports take effect in new terminal sessions, not the one that ran the script.
• Restart GUI apps — Claude Desktop, VS Code variants, and Azure Storage Explorer need to be restarted after configuration.
• Backup on edit — JSON configs (VS Code variants) are backed up to <file>.backup during the edit and restored automatically if the patch fails. The VS Code patch is JSONC-aware (preserves https:// URLs and other comment-like content inside string literals).
• REQUESTS_CA_BUNDLE is shared — Python Requests and Azure CLI both read it, so setting it once configures both.

Python (any platform)

python3 universal_configure_tools.py

Stdlib only — no pip install needed.

Other files

• check_ssl.js — quick Node.js probe for verifying a TLS endpoint after configuration.