I’m slowing learning a bit more here…
From what I can gather piecing together information from various non-authoritative sources, Windows has a mechanism where it automatically downloads new certificate authority certificates from Windows Update on-the-fly as they’re needed. However, it can only do this for applications that use the “proper” Windows APIs to manage certificates. Presumably, this does not include Unreal Engine.
Therefore, if you’re running on a system where the “Starfield Services Root Certificate Authority - G2” certificate has never been needed before, then it won’t be available to Unreal Engine, either. And so the api.cesium.com certificate will fail validation.
Unfortunately, neither Google Chrome nor Microsoft Edge appear to use the requisite APIs, so accessing api.cesium.com from either browser will not download the appropriate certificate into the Windows certificate store. However, you can use PowerShell!
Run the following from a PowerShell command prompt:
Invoke-WebRequest "https://api.cesium.com"
You’ll see a message to the effect of “GET is not allowed”. This is fine and expected.
But doing this request from PowerShell should automatically download “Starfield Services Root Certificate Authority - G2” certificate from Windows Update and install it in the Windows certificate store. From then on, your Unreal Engine applications will be able to use it, too.
Now that I understand better what is happening, I’ll see if we can make changes to Cesium for Unreal to avoid this problem entirely. But in the meantime, this technique is probably easier than manually installing a certificate.
Note that there is a registry setting that will prevent all automatic certificate updates. This is off by default, but if your corporate IT (for example) have enabled it, then the above won’t work.