How to set a custom CA bundle in AWS CLI

Private certificate authorities, TLS-inspecting proxies, and internal HTTPS endpoints can cause AWS CLI commands to fail even when credentials, regions, and service names are otherwise correct. Saving a custom CA bundle keeps certificate validation enabled while allowing the CLI to trust the certificate chain that the target endpoint actually presents.

The AWS CLI stores the persistent certificate bundle path as ca_bundle in the selected profile inside ~/.aws/config on Linux and macOS, or

%UserProfile%\\.aws\\config

on Windows. That saved profile value is only the default source, because AWS_CA_BUNDLE overrides it for the current shell or automation job and the global --ca-bundle option overrides both for one command.

The bundle file must be readable and must contain the root and intermediate certificates needed by the endpoint, usually in PEM format. An absolute path avoids ambiguity across shells, CI jobs, and alternate working directories, and --no-verify-ssl should stay limited to short-lived troubleshooting because it disables TLS verification instead of fixing trust.

Steps to set a custom CA bundle in AWS CLI:

Confirm the bundle file that should be trusted is present and readable from the shell that runs AWS CLI commands.
```
$ ls -l /etc/pki/anchors/company-root-ca.pem
```
The file should contain the full issuing chain that the target endpoint needs for verification, not just one intermediate certificate copied in isolation.
Read the currently saved bundle path for the default profile before changing it.
```
$ aws configure get ca_bundle
```
If this command prints nothing, the default profile does not have a persistent ca_bundle value yet.
Save the custom CA bundle for the default profile.
```
$ aws configure set ca_bundle /etc/pki/anchors/company-root-ca.pem
```
This writes
```
ca_bundle = /etc/pki/anchors/company-root-ca.pem
```
under the
```
[default]
```
section in ~/.aws/config without making a live AWS API call.
Save the bundle on a named profile when only one account or environment should use the custom trust chain.
```
$ aws configure set ca_bundle /etc/pki/anchors/company-root-ca.pem --profile engineering
```
Named profiles are stored as
```
[profile engineering]
```
in the shared config file, so this leaves the default profile unchanged.
Related: How to configure multiple AWS CLI profiles
Read the saved value back from the profiles that were updated.
```
$ aws configure get ca_bundle
/etc/pki/anchors/company-root-ca.pem

$ aws configure get ca_bundle --profile engineering
/etc/pki/anchors/company-root-ca.pem
```
aws configure get reads the stored profile-backed setting directly, so it confirms the persistent value rather than a one-command override.
Inspect the shared AWS CLI config file when the profile section or exact stored line needs to be confirmed directly.
```
$ sed -n '1,20p' ~/.aws/config
[default]
ca_bundle = /etc/pki/anchors/company-root-ca.pem

[profile engineering]
ca_bundle = /etc/pki/anchors/company-root-ca.pem
```
The ca_bundle setting belongs in the shared config file, not in ~/.aws/credentials. If AWS_CONFIG_FILE is exported, inspect that path instead of the default file location.

Related: How to find the AWS CLI config file
Check whether the current shell or automation job is already overriding the saved profile value with AWS_CA_BUNDLE.
```
$ printenv AWS_CA_BUNDLE
```
If this command prints a path, that environment variable overrides the saved ca_bundle profile setting until it is unset or the shell exits.
Run a normal AWS CLI command against the profile that needs the private CA and confirm the request no longer fails with certificate verification errors.
```
$ aws sts get-caller-identity --profile engineering
```
Success is a normal identity response rather than an SSL: CERTIFICATE_VERIFY_FAILED or similar x509 trust error.

Related: How to check the current caller identity in AWS CLI
Override the saved bundle for one command when testing a different trust chain without changing the profile permanently.
```
$ aws sts get-caller-identity --profile engineering --ca-bundle /tmp/test-root-ca.pem
```
The --ca-bundle option overrides both the profile setting and AWS_CA_BUNDLE for that single request.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.