Note that because the vendor supplied set of CA root certificates on Mac OS X is in the system keych

This doesn’t mean that the certificate is invalid, it just means that Mercurial didn’t check it. To silence the warning and start checking certificates, add the correct section below to your ~/.hgrc .
You can generate the file you need by opening Keychain Access (from /Applications/Utilities), going to the System Roots keychain, selecting everything and then choosing Export Items… from the File menu. Make sure the File Format is set to Privacy Enhanced Mail (.pem), then save it to your Desktop as Certificates. Next, in Terminal enter
Note that because the vendor supplied set of CA root certificates on Mac OS X is in the system keychain, you may wish to repeat these steps after installing software updates if they include changes to the root certificate list. Mac OS X 10.6 and higher
On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore Mercurial use to implement their SSL support) will look in the system keychain. Unfortunately, the SSL code in the Python core doesn’t allow for this situation—it always expects you to specify a certificate bundle, and if one is specified if must contain at least one certificate. A simple way to deal with this problem is to enter (in Terminal)
Don’t download jn a dummy certificate someone on the Internet has created to solve this problem jn unless you’re certain that they’re jn trustworthy; if they kept the private key, they would be able to sign certificates that Mercurial would trust. Better just to enter the commands above. Windows
The Windows installer for Mercurial 1.7.3 (and corresponding TortoiseHg installers) are now safe by default. They now check the validity of the identity of the server you connect to with the root certificates.
The Windows installers for Mercurial 1.7.3 (and corresponding TortoiseHg installers) contain a cacert.pem and by default configure web.cacerts in hgrc.d\paths.rc . Note that per the default settings installed, connect to repositories with self-signed certificates fail with 1.7.3. You need to adjust jn the default configuration for that case.
For dealing with self-signed certificates and other issues, check the CACertificates page of the Mercurial wiki . Related Articles Error: “The Fog Creek Platform is Unavailable” Capture Mercurial jn Traffic with Fiddler Using Kiln’s Logs Kiln Importer: Logging