SSLContext loads certificates from the "CA" Intermediate certificate store.

[barrettnichting]

Bug report

Bug description:

ssl.py

class SSLContext(_SSLContext):
    """An SSLContext holds various SSL-related configuration options and
    data, such as certificates and possibly a private key."""
    _windows_cert_stores = ("CA", "ROOT")

When a certificate is imported into the windows "Intermediate Certification Authorities" most applications do not consider this a trusted CA and will fail to verify. Examples are the chrome browser and .Net Applications.
This can be tested using - https://untrusted-root.badssl.com/ and downloading the public key and importing into the "Intermediate Certificate Authorities".

Cert = Windows CertMgr Name
Root = Trusted Root Certification Authorities
CA = Intermediate Certification Authorities

Given that other applications (chrome, .Net) seem to not treat "CA" certificates as a trusted root, should python load these by default?

Use Case:
Using requests Adapter to load the windows certificates rather than rely on Certifi.
https://requests.readthedocs.io/en/latest/user/advanced/#:~:text=10%27%2C%20%27rel%27%3A%20%27last%27%7D-,Transport%20Adapters%C2%B6,-As%20of%20v1.0.0

class WindowsSSLContextAdapter(HTTPAdapter):
    def __init__(self, url_prefix):
        self.url_prefix = url_prefix
        super().__init__()

    def init_poolmanager(self, *args, **kwargs):
        # loads CA and ROOT certificates on windows
        context = ssl.create_default_context()
        kwargs['ssl_context'] = context
        return super().init_poolmanager(*args, **kwargs)

#Mount the HTTPAdapter on requests session
session.mount(url_prefix, adapter)

CPython versions tested on:

3.11

Operating systems tested on:

Windows