Environment
- Claude Desktop version: 1.14271.0.0 (MSIX/Windows Store install)
- Platform: Windows 11 Enterprise
- Backend: Corporate LMG gateway behind SSL inspection proxy (self-signed cert)
- Leidos Cloud PKI Root CA-2 installed in Windows trusted root store
Describe the bug
The Claude Desktop Code tab fails with a cert error when behind a corporate SSL inspection proxy, even after correctly configuring NODE_EXTRA_CA_CERTS. The terminal Claude Code CLI works fine with the same cert configuration.
Error shown in Code tab:
API Error: Unable to connect to API: Self-signed certificate detected. Check your proxy or corporate SSL certificates
Exit code in logs:
Failed to get commands from temporary query {
error: Error: Claude Code process exited with code 3
What was tried
NODE_EXTRA_CA_CERTS set as a Windows User environment variable pointing to the CA cert — ignored by Desktop (MSIX sandboxed app does not inherit Windows user env vars)
env block added to claude_desktop_config.json with NODE_EXTRA_CA_CERTS — Desktop rewrites this file on every restart, stripping unknown fields including the env block
NODE_EXTRA_CA_CERTS added to settings.json env block — passed to the claude.exe subprocess but the Electron layer itself still fails cert validation before the subprocess starts
- CA cert imported into Windows
LocalMachine\Root trusted store — Electron ignores Windows system cert store and uses its own bundled store
Root cause
Claude Desktop's Electron layer uses its own bundled cert store and does not use NODE_EXTRA_CA_CERTS or the Windows system cert store for its own TLS connections (OAuth, session init, etc.). The claude.exe subprocess it spawns can be configured via settings.json, but the Electron layer's startup queries (get commands, get agents) fail before the subprocess even starts.
Expected behavior
NODE_EXTRA_CA_CERTS configured in claude_desktop_config.json (or another durable config location) should be respected by the Electron process itself, not just the subprocess it spawns. Alternatively, an --use-system-ca-store flag or equivalent should be supported for enterprise deployments.
Workaround
Use the terminal Claude Code CLI instead of Desktop's Code tab. The CLI correctly reads NODE_EXTRA_CA_CERTS from settings.json env block and works behind the corporate proxy.
Environment
Describe the bug
The Claude Desktop Code tab fails with a cert error when behind a corporate SSL inspection proxy, even after correctly configuring
NODE_EXTRA_CA_CERTS. The terminal Claude Code CLI works fine with the same cert configuration.Error shown in Code tab:
Exit code in logs:
What was tried
NODE_EXTRA_CA_CERTSset as a Windows User environment variable pointing to the CA cert — ignored by Desktop (MSIX sandboxed app does not inherit Windows user env vars)envblock added toclaude_desktop_config.jsonwithNODE_EXTRA_CA_CERTS— Desktop rewrites this file on every restart, stripping unknown fields including theenvblockNODE_EXTRA_CA_CERTSadded tosettings.jsonenv block — passed to theclaude.exesubprocess but the Electron layer itself still fails cert validation before the subprocess startsLocalMachine\Roottrusted store — Electron ignores Windows system cert store and uses its own bundled storeRoot cause
Claude Desktop's Electron layer uses its own bundled cert store and does not use
NODE_EXTRA_CA_CERTSor the Windows system cert store for its own TLS connections (OAuth, session init, etc.). Theclaude.exesubprocess it spawns can be configured viasettings.json, but the Electron layer's startup queries (get commands,get agents) fail before the subprocess even starts.Expected behavior
NODE_EXTRA_CA_CERTSconfigured inclaude_desktop_config.json(or another durable config location) should be respected by the Electron process itself, not just the subprocess it spawns. Alternatively, an--use-system-ca-storeflag or equivalent should be supported for enterprise deployments.Workaround
Use the terminal Claude Code CLI instead of Desktop's Code tab. The CLI correctly reads
NODE_EXTRA_CA_CERTSfromsettings.jsonenv block and works behind the corporate proxy.