Trusting System Certificates or Adding Custom CAs

Support Help
1

It appears that the Cursor “Agent” mode does not work through a SWG like Netskope, ZScaler, etc if they’re doing SSL Decryption. I can for some reason, use the “ask” mode ok though.

My question is, when is Cursor going to add the ability to add a custom CA or cert chain?

I’ve tried the following but the only thing that has worked is disabling SSL decryption at the SWG.

I’ve also added these to: Profiles → settings.json
Both separately and both have failed to work like I had hoped.

“http.systemCertificates”: true
“http.experimental.systemCertificatesv2”:true

I’ve also tried installed the extension that seemed to work in my vscode environment, win-ca; which basically allows the VScode environment to trust the system cert store.

2

Exact same issue, also on netskope. Installing win-ca did not work me personally/

3

Agent should work behind Netskope and Zscaler, using 0.50.x and http/2 disabled.

4

This resolved it for me.

Modify this file: %userprofile%\AppData\Roaming\Cursor\User\settings.json
Add these to the end of list:

“http.systemCertificates”: true,
“http.experimental.systemCertificatesv2”: true,
“cursor.general.disableHttp2”: true

To see other approaches, expand below summary:

Summary

Cursor ZScaler Certificate

Configuration Guide

This guide helps you configure Cursor to work with ZScaler’s SSL decryption by installing and trusting your corporate certificate.

Solution Overview

ZScaler intercepts SSL traffic and re-signs it with its own certificate. Cursor needs to trust this certificate to function properly. There are multiple approaches - try them in order until one works.

Method 1: Install Certificate in Windows Certificate Store + Configure Cursor Settings

Step 1: Obtain the ZScaler Root Certificate

  1. Contact your IT department to get the ZScaler root certificate file (usually .crt, .cer, or .pem format)
  2. Or download it from your ZScaler admin portal if you have access

Step 2: Install Certificate in Windows Certificate Store

  1. Press Win + R, type mmc, and press Enter
  2. Go to File > Add/Remove Snap-in
  3. Select Certificates and click Add
  4. Choose Computer account > Local computer > Finish > OK
  5. Navigate to Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates
  6. Right-click Certificates folder > All Tasks > Import
  7. Follow the wizard to import your ZScaler certificate file
  8. Select Place all certificates in the following store and verify it shows “Trusted Root Certification Authorities”
  9. Complete the import

Step 3: Configure Cursor to Trust System Certificates

  1. Open Cursor
  2. Press Ctrl + Shift + P (or Cmd + Shift + P on Mac) to open Command Palette
  3. Type “Preferences: Open User Settings (JSON)” and select it
  4. Add these settings to your settings.json:
{
  "http.systemCertificates": true,
  "http.experimental.systemCertificatesv2": true,
  "cursor.general.disableHttp2": true
}
  1. Save the file and restart Cursor

Method 2: Use NODE_EXTRA_CA_CERTS Environment Variable

If Method 1 doesn’t work, configure Node.js (which Cursor uses) to trust your certificate:

Step 1: Locate Your Certificate File

Save your ZScaler root certificate to a permanent location, e.g.:

  • C:\certs\zscaler-root.crt

Step 2: Set Environment Variable

  1. Press Win + X and select System
  2. Click Advanced system settings
  3. Click Environment Variables
  4. Under User variables (or System variables if you want it for all users), click New
  5. Variable name: NODE_EXTRA_CA_CERTS
  6. Variable value: C:\certs\zscaler-root.crt (use your actual path)
  7. Click OK on all dialogs
  8. Restart Cursor (and any terminal windows if you have them open)

Alternative: Set via PowerShell (Current Session Only)

$env:NODE_EXTRA_CA_CERTS = "C:\certs\zscaler-root.crt"

Method 3: Use SSL_CERT_FILE Environment Variable

Similar to Method 2, but using a different variable:

  1. Set environment variable SSL_CERT_FILE pointing to your certificate file
  2. Or set SSL_CERT_DIR pointing to a directory containing certificates
  3. Restart Cursor

Method 4: Install win-ca Extension (Windows Only)

  1. Open Cursor
  2. Go to Extensions (Ctrl+Shift+X)
  3. Search for “win-ca” extension
  4. Install it
  5. Restart Cursor

This extension helps Node.js applications use certificates from the Windows Certificate Store.

Method 5: Disable HTTP/2 (Already Included in Method 1)

If you haven’t already, add this to Cursor settings:

{
  "cursor.general.disableHttp2": true
}

This forces Cursor to use HTTP/1.1, which can bypass some SSL decryption issues.

Verification Steps

After applying any method:

  1. Restart Cursor completely
  2. Try using agentic coding features (Composer, Chat, etc.)
  3. Check for SSL/certificate errors in Cursor’s Developer Console:
    • Help > Toggle Developer Tools
    • Look for certificate or SSL errors in the Console tab

Additional Recommendations

Whitelist Cursor Domains in ZScaler

Ask your IT team to whitelist these Cursor domains to reduce interference:

  • api2.cursor.sh
  • api3.cursor.sh
  • repo42.cursor.sh
  • api4.cursor.sh
  • us-asia.gcpp.cursor.sh
  • us-eu.gcpp.cursor.sh
  • us-only.gcpp.cursor.sh

Bypass SSL Inspection for Cursor (If Policy Allows)

If your organization’s security policy permits, configure ZScaler to bypass SSL inspection for Cursor’s domains. This prevents certificate re-signing issues entirely.

Troubleshooting

  • Still not working? Try combining methods (e.g., install in cert store + set NODE_EXTRA_CA_CERTS + disable HTTP/2)
  • Certificate format issues? Convert between formats if needed:
    • .pem to .crt: Usually just rename the file
    • Use OpenSSL if conversion is needed: openssl x509 -in cert.pem -out cert.crt
  • Check certificate validity: Ensure the certificate hasn’t expired
  • Contact IT: If issues persist, your IT team may need to adjust ZScaler policies

Notes

  • These changes affect Cursor system-wide, not just individual projects
  • You may need administrator privileges to install certificates in the system store
  • Some methods require Cursor to be restarted to take effect
  • Keep your certificate file in a secure location if using environment variables