[DOCS] Enterprise network docs missing OS certificate store default and `CLAUDE_CODE_CERT_STORE` override
Documentation Type
Missing documentation (feature not documented)
Documentation Location
https://code.claude.com/docs/en/network-config
Section/Topic
Enterprise TLS / custom CA guidance and the environment variable reference for certificate trust behavior
Current Documentation
The enterprise network guide currently documents custom CA setup as:
## Custom CA certificates If your enterprise environment uses custom CAs for HTTPS connections (whether through a proxy or direct API access), configure Claude Code to trust them: export NODE_EXTRA_CA_CERTS=/path/to/ca-cert.pem
The environment variable reference documents adjacent certificate-related variables such as:
CLAUDE_CODE_CLIENT_CERT — Path to client certificate file for mTLS authentication
Neither page documents the new default behavior of trusting the OS CA certificate store, nor the CLAUDE_CODE_CERT_STORE override.
What's Wrong or Missing?
Claude Code v2.1.101 now trusts the OS CA certificate store by default so enterprise TLS proxies work without extra setup, and it adds CLAUDE_CODE_CERT_STORE=bundled as an override to use only bundled certificate authorities.
That behavior is missing from the docs. As written today, the enterprise network guidance implies users must manually configure custom CAs, and the env var reference gives no way to discover the override.
Users in enterprise environments do not have documentation for:
- the new default trust behavior
- when manual
NODE_EXTRA_CA_CERTSsetup is still needed - how to opt back into bundled-only CA trust
- how these settings interact with proxy and mTLS setups
Suggested Improvement
Update the network configuration and env var docs to explain:
- Claude Code now trusts the OS CA certificate store by default
- this helps enterprise TLS-intercepting proxies work without extra setup
CLAUDE_CODE_CERT_STORE=bundledswitches back to bundled CAs only- when
NODE_EXTRA_CA_CERTSis still the right tool (for example, custom private roots not present in the OS store)
A short before/after example for enterprise proxy environments would make the change easier to understand.
Impact
Medium - Makes feature difficult to understand
Additional Context
Affected Pages:
| Page | Context |
|------|---------|
| https://code.claude.com/docs/en/network-config | Enterprise proxy/custom CA guidance only documents manual NODE_EXTRA_CA_CERTS setup |
| https://code.claude.com/docs/en/env-vars | Certificate-related env vars include mTLS settings, but not CLAUDE_CODE_CERT_STORE |
Total scope: 2 pages affected
Source: Claude Code v2.1.101 release notes
Added OS CA certificate store trust by default, so enterprise TLS proxies work without extra setup (set CLAUDE_CODE_CERT_STORE=bundled to use only bundled CAs)This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗