The load_verify_locations() method of SSLContext class in Python

Method Name:

load_verify_locations

Method Signature:

load_verify_locations(cafile=None, capath=None, cadata=None)

Parameters:

cafile – File path for file containing the CA Certtificate(s)

capath – Path for the directory containing the CA Certtificate(s)

cadata – The certificate data in PEM or DER format.

Return Value:

None

Overview:

The method load_verify_locations() of the SSLContext class loads a set of CA certificates used for verifying the certificate of the peer.
The CA certificates are the certificates of Certifying Authorities. Usually, a Certifying Authority designates the work of issuing the certificates to a set of (sub-) authorities and each of such authorities again delegating to another (sub)set of authorities forming a CA chain.
While validating a peer’s certificate, one or more certificates in the CA chain are validated by a host.

Example:

The client uses the TLS Server program from the Introduction to the SSLSocket class in Python.

# Example Python program that uses SSLContext.load_verify_locations()
# to load and verify one or more CA certificates
import socket
import ssl
import os
import time

# IP address and port number
ipAddress = "127.0.0.1"
portNumber = 15001

# SSLContext construction
sslSettings = ssl.create_default_context()
sslSettings.check_hostname = True

# Load a CA certificate.
# The CA certificate will be used to validate the certificate from the server
sslSettings.load_verify_locations("./DemoCA.pem")

# Loading of client certificate which will be validated by the server
sslSettings.load_cert_chain(certfile="./DemoClt1.pem",
keyfile="./DemoClt1.key")

# To make Python3.13 accept self-signed certificates
sslSettings.verify_flags = sslSettings.verify_flags & ~ssl.VERIFY_X509_STRICT

# Streaming socket
s = socket.socket()

# Obtain SSLSocket instance - Does a TLS handshake
ss = sslSettings.wrap_socket(s, server_hostname = "DemoServer",
server_side = False)

# Connect to the server
ss.connect((ipAddress, portNumber))

# Print the loaded certificate statistics
print("Certificates currently loaded into the SSLContext")
print(sslSettings.cert_store_stats())

# Send a message to the server
ss.sendall("Hello Server!".encode())

# Receive time from server
dataFromServer = ss.recv(1024)

print("Message received from the server")
print(dataFromServer)

# Close the secure socket
ss.close()

# Get rid of the original socket
s.close()

Output - Client:

Certificates currently loaded into the SSLContext
{'x509': 146, 'crl': 0, 'x509_ca': 146}
Message received from the server
b'2025-10-13 21:34:36.937342'

Output - Server:

<class 'dict'>
Client certificate(X.509):
{'subject': ((('countryName', 'IN'),), (('stateOrProvinceName', 'KA'),), (('localityName', 'BLR'),), (('organizationName', 'DemoClientOrg'),), (('organizationalUnitName', 'DemoClientUnit'),), (('commonName', 'DemoClient'),), (('emailAddress', 'democlient@democlienttesting.com'),)), 'issuer': ((('countryName', 'IN'),), (('stateOrProvinceName', 'KA'),), (('localityName', 'BLR'),), (('organizationName', 'DemoCAOrg'),), (('organizationalUnitName', 'DemoCAUnit'),), (('commonName', 'localca'),), (('emailAddress', 'localca@localcatest.com'),)), 'version': 1, 'serialNumber': '01', 'notBefore': 'Sep 22 10:58:45 2025 GMT', 'notAfter': 'Sep 22 10:58:45 2026 GMT'}
Received from client:
b'Hello Server!'
Securely sent 2025-10-13 21:34:36.937342 to ('127.0.0.1', 53032)