jfrog · RemiBou · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026
diff --git a/auth/cert/loader.go b/auth/cert/loader.go
@@ -44,7 +44,6 @@ func LoadCertificate(clientCertPath, clientCertKeyPath string) (certificate tls.
 }
 
 func GetTransportWithLoadedCert(certificatesDirPath string, insecureTls bool, transport *http.Transport) (*http.Transport, error) {
-	// Remove once SystemCertPool supports windows
 	caCertPool, err := loadSystemRoots()
 	err = errorutils.CheckError(err)
 	if err != nil {

diff --git a/auth/cert/loader_test.go b/auth/cert/loader_test.go
@@ -0,0 +1,34 @@
+package cert
+
+import (
+	"crypto/tls"
+	"net/http"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestLoadSystemRootsNeverReturnsNilPool(t *testing.T) {
+	pool, err := loadSystemRoots()
+	require.NoError(t, err)
+	assert.NotNil(t, pool)
+}
+
+func TestGetTransportWithLoadedCert(t *testing.T) {
+	transport := &http.Transport{}
+	result, err := GetTransportWithLoadedCert(filepath.Join(t.TempDir(), "missing-certs"), false, transport)
+	require.NoError(t, err)
+	require.NotNil(t, result.TLSClientConfig)
+	assert.NotNil(t, result.TLSClientConfig.RootCAs)
+	assert.Equal(t, uint16(tls.VersionTLS12), result.TLSClientConfig.MinVersion)
+	assert.False(t, result.TLSClientConfig.InsecureSkipVerify)
+}
+
+func TestGetTransportWithLoadedCertInsecureTls(t *testing.T) {
+	transport := &http.Transport{}
+	result, err := GetTransportWithLoadedCert("", true, transport)
+	require.NoError(t, err)
+	assert.True(t, result.TLSClientConfig.InsecureSkipVerify)
+}
diff --git a/auth/cert/sslutils.go b/auth/cert/sslutils.go
@@ -0,0 +1,13 @@
+package cert
+
+import (
+	"crypto/x509"
+)
+
+func loadSystemRoots() (*x509.CertPool, error) {
+	pool, err := x509.SystemCertPool()
+	if pool == nil {
+		pool = x509.NewCertPool()
+	}
+	return pool, err
+}
diff --git a/auth/cert/sslutils_default.go b/auth/cert/sslutils_default.go
diff --git a/auth/cert/sslutils_windows.go b/auth/cert/sslutils_windows.go