How to set a custom CA bundle in AWS CLI

Private certificate authorities, TLS-inspecting proxies, and internal HTTPS endpoints can cause AWS CLI commands to fail even when credentials, regions, and service names are otherwise correct. Saving a custom CA bundle keeps certificate validation enabled while allowing the CLI to trust the certificate chain that the target endpoint actually presents.

The AWS CLI stores the persistent certificate bundle path as ca_bundle in the selected profile inside ~/.aws/config on Linux and macOS, or 

%UserProfile%\\.aws\\config

on Windows. That saved profile value is only the default source, because AWS_CA_BUNDLE overrides it for the current shell or automation job and the global --ca-bundle option overrides both for one command.

The bundle file must be readable and must contain the root and intermediate certificates needed by the endpoint, usually in PEM format. An absolute path avoids ambiguity across shells, CI jobs, and alternate working directories, and --no-verify-ssl should stay limited to short-lived troubleshooting because it disables TLS verification instead of fixing trust.

Related: use a custom endpoint in AWS CLI
Related: use environment variables in AWS CLI

Steps to set a custom CA bundle in AWS CLI:

  1. Confirm the bundle file that should be trusted is present and readable from the shell that runs AWS CLI commands. 
    $ ls -l /etc/pki/anchors/company-root-ca.pem

    The file should contain the full issuing chain that the target endpoint needs for verification, not just one intermediate certificate copied in isolation.

  2. Read the currently saved bundle path for the default profile before changing it. 
    $ aws configure get ca_bundle

    If this command prints nothing, the default profile does not have a persistent ca_bundle value yet.

  3. Save the custom CA bundle for the default profile. 
    $ aws configure set ca_bundle /etc/pki/anchors/company-root-ca.pem

    This writes 

    ca_bundle = /etc/pki/anchors/company-root-ca.pem

    under the 

    [default]

    section in ~/.aws/config without making a live AWS API call.

  4. Save the bundle on a named profile when only one account or environment should use the custom trust chain. 
    $ aws configure set ca_bundle /etc/pki/anchors/company-root-ca.pem --profile engineering

    Named profiles are stored as 

    [profile engineering]

    in the shared config file, so this leaves the default profile unchanged.

    Related: How to configure multiple AWS CLI profiles

  5. Read the saved value back from the profiles that were updated. 
    $ aws configure get ca_bundle
/etc/pki/anchors/company-root-ca.pem

$ aws configure get ca_bundle --profile engineering
/etc/pki/anchors/company-root-ca.pem

    aws configure get reads the stored profile-backed setting directly, so it confirms the persistent value rather than a one-command override.

  6. Inspect the shared AWS CLI config file when the profile section or exact stored line needs to be confirmed directly. 
    $ sed -n '1,20p' ~/.aws/config
[default]
ca_bundle = /etc/pki/anchors/company-root-ca.pem

[profile engineering]
ca_bundle = /etc/pki/anchors/company-root-ca.pem

    The ca_bundle setting belongs in the shared config file, not in ~/.aws/credentials. If AWS_CONFIG_FILE is exported, inspect that path instead of the default file location.

    Related: How to find the AWS CLI config file

  7. Check whether the current shell or automation job is already overriding the saved profile value with AWS_CA_BUNDLE. 
    $ printenv AWS_CA_BUNDLE

    If this command prints a path, that environment variable overrides the saved ca_bundle profile setting until it is unset or the shell exits.

  8. Run a normal AWS CLI command against the profile that needs the private CA and confirm the request no longer fails with certificate verification errors. 
    $ aws sts get-caller-identity --profile engineering

    Success is a normal identity response rather than an SSL: CERTIFICATE_VERIFY_FAILED or similar x509 trust error.

    Related: How to check the current caller identity in AWS CLI

  9. Override the saved bundle for one command when testing a different trust chain without changing the profile permanently. 
    $ aws sts get-caller-identity --profile engineering --ca-bundle /tmp/test-root-ca.pem

    The --ca-bundle option overrides both the profile setting and AWS_CA_BUNDLE for that single request.