I have added this issue to the tracker:
Issue 2212 – Updates check fail because winscp.net certificate cannot be validated
You can vote for it there.

I did check Git source code (or actually Curl code, as that's what Git uses for HTTP[S]) and the code seems pretty much the same as what WinSCP is doing.

Do you think it's possible for me to somehow configure my Windows to behave like yours? Do you know what exactly causes WinSCP to fail the certificate validation?

Thanks. I'll look into it.

Git for Windows with the

command run works fine.

As does Python with the pip-system-certs extension loaded.

Does "everything else" include another open source software, that I can check?

I'm seeing this when SSL Decryption is enabled

Certificate not trusted.
Error: 800B0109, Chain index: 0, Element index: -1
Server certificate verification failed: issuer is not trusted

Excluding winscp.net from SSL Decryption makes checking for updates work normally. Our RootCA cert is installed in the machine cert store under Trusted Root Certification Authorities and working fine for everything else

All HTTPS connections (updates, S3, WebDAV) use the same mechanism for verifying the certificates. So all use Windows certificate store, via CertVerifyCertificateChainPolicy.
Can you post the exact error message you are getting?

Hi

While I understand WinSCP uses the Windows Certificate Store to validate certificates for connections, it appears it does not use it when checking for updates.

We have SSL interception on and when checking for updates I see a certificate chain error and it fails to check for updates. The RootCA certificate is in the Windows certificate store as a Trusted CA nd works for everything else.

I've found other posts discussing that WinSCP does use the Windows Certificate Store for S3 connections etc (not that I've tried that) but I'm guessing the update lookup is just missing that piece of validation code.