Solving TLS Certificate Issues with LootLocker API in Unity and Unreal Engine

Some developers have recently encountered TLS certificate errors when connecting to the LootLocker API from game builds using engines such as Unity and Unreal Engine. These issues are most commonly reported on Windows 10, but can also affect other operating systems and older systems that do not have up-to-date root certificates.

For example, you might see errors like:

libcurl error: 60 (SSL peer certificate or SSH remote key was not OK)
SSL certificate problem: unable to get local issuer certificate

While the API endpoint (e.g., https://api.lootlocker.com/) works fine for the developers, game engine builds for older systems may fail to connect securely. This guide explains the root cause of these TLS issues, why they are appearing now, and how to resolve them in a way that works across both Unity and Unreal Engine, and for a wide range of systems.

The Current Case: Amazon Certificate Rollout and Older Windows Machines

In early 2025, Amazon (AWS) began phasing out the "Starfield Root Certificate Authority - G2" (old) in favor of the "Starfield Services Root Certificate Authority - G2" (new).
Some systems, especially Windows 10 machines, may not have the new root certificate installed, even if they are fully updated via Windows Update.
Browsers are unaffected because they use their own built-in trusted CA stores, but game engines (via cURL or similar) rely on the system’s CA store, which may be outdated.
Other services may also be unaffected, since Amazon are rolling out the new certificate over time to services running on their cloud. LootLocker however, has been migrated to the new certificate.
As a result, API calls to LootLocker may fail with TLS errors, even though the endpoint is accessible in a browser.

Fixing a Broken TLS Cert

The solution is to bundle the missing root certificate with your game and ensure your engine (Unity or Unreal) uses it when making API calls. This approach will resolve TLS issues not only for Windows 10, but for any system that may lack the required root certificate. Future-proofing your game against similar certificate authority changes.

Here is how this guide is structured, with quick links to each section:

1. How to obtain the correct root certificate.

2. How to bundle and configure it with your Unity or Unreal Engine project.

3. Additional notes and troubleshooting.

1. Obtaining the Correct Root Certificate

The root certificate you need is the "Starfield Services Root Certificate Authority - G2". This is the new root CA used by Amazon for SSL certificates as of 2025.

You can download the certificate directly from Amazon or reputable sources such as Mozilla or SSL Labs.
For convenience, here is a direct link to the PEM file from Amazon:
- https://www.amazontrust.com/repository/SFSRootCAG2.pem
Save this file as SFSRootCAG2.pem (or similar) in your project directory.

2. Bundling and Configuring the Certificate in Your Project

For Unreal Engine

Open (or create) the file Content/Certificates/cacert.pem in your project.
Append the contents of SFSRootCAG2.pem to the end of cacert.pem (you can have multiple certificates in this file).
Make sure cacert.pem is included in your packaged builds (Unreal does this automatically for files in Content/Certificates). If this is not the case for you during testing then add the Certificates folder to non-asset directory to package and copy
No additional configuration is needed if you use this default location and filename. Unreal will automatically use this CA bundle for HTTP requests.

For Unity

Unity handles most certificate validation internally. LootLocker uses UnityWebRequest to make HTTP requests, which relies on Unity's own certificate bundle rather than the operating system's certificate store. This bundle is regularly updated by Unity and already includes major certificate authorities, such as Amazon’s Starfield Services Root CA.

If you do encounter TLS certificate issues, you can:

Place the SFSRootCAG2.pem file in your Assets/StreamingAssets folder to make it accessible at runtime.
Implement a custom CertificateHandler to handle certificate validation. Note that this overrides the default system certificate validation, so you'll need to validate all certificates needed.
Enable LootLocker HTTP Configuration overrides by going to Project Settings > Player > Other Settings > Script Compilation > Scripting Define Symbols and adding LOOTLOCKER_ENABLE_HTTP_CONFIGURATION_OVERRIDE.
Before making any requests using LootLocker, call LootLockerSDKManager._OverrideLootLockerCertificateHandler(new <Your Certificate Handler>()). The custom certificate handler will now be used.
If you want to reset the certificate handler you can call LootLockerSDKManager._OverrideLootLockerCertificateHandler(null).

3. Additional Notes and Troubleshooting

Always test your build on a clean machine that does not have the new root certificate installed to ensure your solution works.
If you bundle multiple CA certificates, you can concatenate them into a single .pem file.
Keep your CA bundle up to date as certificate authorities change over time.
If you are distributing your game on multiple platforms, test the solution for each target OS.

If you are still experiencing issues after following this guide, don't hesitate to reach out on Discord for further assistance.