[DOCS] Enterprise network docs missing OS certificate store default and `CLAUDE_CODE_CERT_STORE` override

Resolved 💬 2 comments Opened Apr 10, 2026 by coygeek Closed Apr 15, 2026

Documentation Type

Missing documentation (feature not documented)

Documentation Location

https://code.claude.com/docs/en/network-config

Section/Topic

Enterprise TLS / custom CA guidance and the environment variable reference for certificate trust behavior

Current Documentation

The enterprise network guide currently documents custom CA setup as:

## Custom CA certificates If your enterprise environment uses custom CAs for HTTPS connections (whether through a proxy or direct API access), configure Claude Code to trust them: export NODE_EXTRA_CA_CERTS=/path/to/ca-cert.pem

The environment variable reference documents adjacent certificate-related variables such as:

CLAUDE_CODE_CLIENT_CERT — Path to client certificate file for mTLS authentication

Neither page documents the new default behavior of trusting the OS CA certificate store, nor the CLAUDE_CODE_CERT_STORE override.

What's Wrong or Missing?

Claude Code v2.1.101 now trusts the OS CA certificate store by default so enterprise TLS proxies work without extra setup, and it adds CLAUDE_CODE_CERT_STORE=bundled as an override to use only bundled certificate authorities.

That behavior is missing from the docs. As written today, the enterprise network guidance implies users must manually configure custom CAs, and the env var reference gives no way to discover the override.

Users in enterprise environments do not have documentation for:

  • the new default trust behavior
  • when manual NODE_EXTRA_CA_CERTS setup is still needed
  • how to opt back into bundled-only CA trust
  • how these settings interact with proxy and mTLS setups

Suggested Improvement

Update the network configuration and env var docs to explain:

  1. Claude Code now trusts the OS CA certificate store by default
  2. this helps enterprise TLS-intercepting proxies work without extra setup
  3. CLAUDE_CODE_CERT_STORE=bundled switches back to bundled CAs only
  4. when NODE_EXTRA_CA_CERTS is still the right tool (for example, custom private roots not present in the OS store)

A short before/after example for enterprise proxy environments would make the change easier to understand.

Impact

Medium - Makes feature difficult to understand

Additional Context

Affected Pages:
| Page | Context |
|------|---------|
| https://code.claude.com/docs/en/network-config | Enterprise proxy/custom CA guidance only documents manual NODE_EXTRA_CA_CERTS setup |
| https://code.claude.com/docs/en/env-vars | Certificate-related env vars include mTLS settings, but not CLAUDE_CODE_CERT_STORE |

Total scope: 2 pages affected

Source: Claude Code v2.1.101 release notes

Added OS CA certificate store trust by default, so enterprise TLS proxies work without extra setup (set CLAUDE_CODE_CERT_STORE=bundled to use only bundled CAs)

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗