I use a corporate VPN and every time I try a new client it throws a self-signed certificate error and it's getting very annoying.
There's plenty of similar questions in here but they cover how to solve the problem for the specific client throwing the error. Also unfortunately often the answer is to disable ssl verification altogether which is not ideal. This is not what I'm looking for.
I have installed the custom certificate in the Windows certificate store but most clients seem to ignore this.
I have to ask, is there any general solution to this of any kind (including solutions at the VPN provider level that I could suggest) or is this a general failure of standardization and there's nothing that can be done about it?
The solution is to install the CA certificate used by the corporate proxy into the trust store(s) used by the applications. Unfortunately there is no generic way to do this which covers all applications.
This is because there is no single system wide trust store: some applications might use the windows trust store, some have application specific trust stores, or even application profile specific ones like in Firefox. Sometimes the trust store is specific for the used programming language (like Java, Python) or library.
And sometimes the expected certificate, key or CA is hard-coded into the application (certificate pinning). In this case the application itself would need to be changed or exceptions added to the corporate firewall.