Can you provide some more info on that ecosystem? I don't use Windows, so I wouldn't know where to start to find its root store.

Thanks, I haven't found a solution yet, but poking around on the web:

• The old solution (may still work) seems to be to add to git-for-windows' store: https://blogs.msdn.microsoft.com/phkelley/2014/01/20/adding-a-corporate-or-self-signed-certificate-authority-to-git-exes-store/
• git itself apparently has a way to switch to using the global CA store by git config --global http.sslBackend schannel... but that seems to be specific to git (as expected, since it uses git config)

I haven't tried the first with the curl that ships in the git-for-windows world; maybe it would work. The second (git config) approach definitely didn't work for me.

It looks to me like

$ cat $(mkcert -CAROOT)/rootCA.pem >> /mingw64/ssl/certs/ca-bundle.crt

does the job from within git-bash context.

Outside git-bash context, I believe the directory is typically C:\Program Files\Git\mingw64\ssl\certs

In Most corporate settings it is best to set it to use Windows Trusted CA Store, since that will be managed by your IT (like if they inspect outbound HTTPS traffic) using
git config --global http.sslBackend schannel
as suggested by @rfay

Typically, windows has no certificates dir, but stores in win registory.
If you want to import into the registory with using cli, It seems that certutil command can be used.

certutil.exe -addstore root c:\capublickey.cer

See: https://superuser.com/questions/1506440/import-certificates-using-command-line-on-windows

@rfay From where did you acquire mkcert? It does not seem to be in my default git bash install.

Edit: I might not need it. Just cat and append to the ca-bundle.crt file.

Edit 2: solution not working for me...so, may be a problem somewhere else.

@jkugler - download the windows binary from the releases page, https://github.com/FiloSottile/mkcert/releases

In Most corporate settings it is best to set it to use Windows Trusted CA Store, since that will be managed by your IT (like if they inspect outbound HTTPS traffic) using
git config --global http.sslBackend schannel
as suggested by @rfay

but how to make that config for the entire git-bash? For example, I cannot perform any curls to https endpoints in my bash... (and all of my package managers suffer from the same issue... it's a pain to add the certificates for each of them, as they expire...)
Any ideas how to do that?