<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>curl - SSL CA Certificates</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <link rel="stylesheet" type="text/css" href="/curl.css"> <link rel="shortcut icon" href="/favicon.ico"> <link rel="icon" href="/logo/curl-symbol.svg" type="image/svg+xml"> <link rel="alternate" type="application/rss+xml" title="cURL Releases" href="https://github.com/curl/curl/releases.atom"> </head> <body> <div class="main"> <div class="menu"> <a href="/docs/" class="menuitem" title="Documentation Overview">Docs Overview</a> <div class="dropdown"> <a class="dropbtn" href="/docs/projdocs.html">Project</a> <div class="dropdown-content"> <a href="/docs/bugbounty.html">Bug Bounty</a> <a href="/docs/bugs.html">Bug Report</a> <a href="/docs/code-of-conduct.html">Code of conduct</a> <a href="/docs/libs.html">Dependencies</a> <a href="/donation.html">Donate</a> <a href="/docs/faq.html">FAQ</a> <a href="/docs/features.html">Features</a> <a href="/docs/governance.html">Governance</a> <a href="/docs/history.html">History</a> <a href="/docs/install.html">Install</a> <a href="/docs/knownbugs.html">Known Bugs</a> <a href="/logo/">Logo</a> <a href="/docs/todo.html">TODO</a> <a href="/about.html">website Info</a> </div> </div> <div class="dropdown"> <a class="dropbtn" href="/docs/protdocs.html">Protocols</a> <div class="dropdown-content"> <a href="/docs/caextract.html">CA Extract</a> <a href="/docs/http-cookies.html">HTTP cookies</a> <a href="/docs/http3.html">HTTP/3</a> <a href="/docs/mqtt.html">MQTT</a> <a href="/docs/sslcerts.html">SSL certs</a> <a href="/docs/ssl-compared.html">SSL libs compared</a> <a href="/docs/url-syntax.html">URL syntax</a> <a href="/docs/websocket.html">WebSocket</a> </div> </div> <div class="dropdown"> <a class="dropbtn" href="/docs/reldocs.html">Releases</a> <div class="dropdown-content"> <a href="/ch/">Changelog</a> <a href="/docs/security.html">curl CVEs</a> <a href="/docs/releases.html">Release Table</a> <a href="/docs/versions.html">Version Numbering</a> <a href="/docs/vulnerabilities.html">Vulnerabilities</a> </div> </div> <div class="dropdown"> <a class="dropbtn" href="/docs/tooldocs.html">Tool</a> <div class="dropdown-content"> <a href="/docs/comparison-table.html">Comparison Table</a> <a href="/docs/manpage.html">curl man page</a> <a href="/docs/httpscripting.html">HTTP Scripting</a> <a href="/docs/mk-ca-bundle.html">mk-ca-bundle</a> <a href="/docs/tutorial.html">Tutorial</a> <a href="optionswhen.html">When options were added</a> </div> </div> <div class="dropdown"> <a class="dropbtn" href="/docs/whodocs.html">Who and Why</a> <div class="dropdown-content"> <a href="/docs/companies.html">Companies</a> <a href="/docs/copyright.html">Copyright</a> <a href="/sponsors.html">Sponsors</a> <a href="/docs/thanks.html">Thanks</a> <a href="/docs/thename.html">The name</a> </div> </div> </div> <div class="contents"> <div class="where"><a href="/">curl</a> / <a href="/docs/">Docs</a> / <a href="/docs/protdocs.html">Protocols</a> / <b>SSL Certificates</b></div> <div class="relatedbox"> <b>Related:</b> <br><a href="caextract.html">CA extract</a> <br><a href="https://github.com/curl/curl/issues/new?title=SSLCERTS.md&amp;labels=documentation&amp;template=docs.yml&amp;source=docs/sslcerts.html" target="_new">File a bug about this page</a> </div> <!-- Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. SPDX-License-Identifier: curl --> <h1 id="tls-certificate-verification">TLS Certificate Verification</h1> <h2 id="native-vs-file-based">Native vs file based</h2> <p>If curl was built with Schannel or Secure Transport support, then curl uses the system native CA store for verification. All other TLS libraries use a file based CA store by default.</p> <h2 id="verification">Verification</h2> <p>Every trusted server certificate is digitally signed by a Certificate Authority, a CA.</p> <p>In your local CA store you have a collection of certificates from <em>trusted</em> certificate authorities that TLS clients like curl use to verify servers.</p> <p>curl does certificate verification by default. This is done by verifying the signature and making sure the certificate was crafted for the server name provided in the URL.</p> <p>If you communicate with HTTPS, FTPS or other TLS-using servers using certificates signed by a CA whose certificate is present in the store, you can be sure that the remote server really is the one it claims to be.</p> <p>If the remote server uses a self-signed certificate, if you do not install a CA cert store, if the server uses a certificate signed by a CA that is not included in the store you use or if the remote host is an impostor impersonating your favorite site, the certificate check fails and reports an error.</p> <p>If you think it wrongly failed the verification, consider one of the following sections.</p> <h3 id="skip-verification">Skip verification</h3> <p>Tell curl to <em>not</em> verify the peer with <code>-k</code>/<code>--insecure</code>.</p> <p>We <strong>strongly</strong> recommend this is avoided and that even if you end up doing this for experimentation or development, <strong>never</strong> skip verification in production.</p> <h3 id="use-a-custom-ca-store">Use a custom CA store</h3> <p>Get a CA certificate that can verify the remote server and use the proper option to point out this CA cert for verification when connecting - for this specific transfer only.</p> <p>With the curl command line tool: <code>--cacert [file]</code></p> <p>If you use the curl command line tool without a native CA store, then you can specify your own CA cert file by setting the environment variable <code>CURL_CA_BUNDLE</code> to the path of your choice.</p> <p>If you are using the curl command line tool on Windows, curl searches for a CA cert file named <code>curl-ca-bundle.crt</code> in these directories and in this order:</p> <ol type="1"> <li>application's directory</li> <li>current working directory</li> <li>Windows System directory (e.g. C:\Windows\System32)</li> <li>Windows Directory (e.g. C:\Windows)</li> <li>all directories along %PATH%</li> </ol> <p>curl 8.11.0 added a build-time option to disable this search behavior, and another option to restrict search to the application's directory.</p> <h3 id="use-the-native-store">Use the native store</h3> <p>In several environments, in particular on Windows, you can ask curl to use the system's native CA store when verifying the certificate.</p> <p>With the curl command line tool: <code>--ca-native</code>.</p> <h3 id="modify-the-ca-store">Modify the CA store</h3> <p>Add the CA cert for your server to the existing default CA certificate store.</p> <p>Usually you can figure out the path to the local CA store by looking at the verbose output that <code>curl -v</code> shows when you connect to an HTTPS site.</p> <h3 id="change-curls-default-ca-store">Change curl's default CA store</h3> <p>The default CA certificate store curl uses is set at build time. When you build curl you can point out your preferred path.</p> <h3 id="extract-ca-cert-from-a-server">Extract CA cert from a server</h3> <pre><code>curl -w %{certs} https://example.com &gt; cacert.pem</code></pre> <p>The certificate has <code>BEGIN CERTIFICATE</code> and <code>END CERTIFICATE</code> markers.</p> <h3 id="get-the-mozilla-ca-store">Get the Mozilla CA store</h3> <p>Download a version of the Firefox CA store converted to PEM format on the <a href="https://curl.se/docs/caextract.html">CA Extract</a> page. It always features the latest Firefox bundle.</p> <h2 id="native-ca-store">Native CA store</h2> <p>If curl was built with Schannel, Secure Transport or were instructed to use the native CA Store, then curl uses the certificates that are built into the OS. These are the same certificates that appear in the Internet Options control panel (under Windows) or Keychain Access application (under macOS). Any custom security rules for certificates are honored.</p> <p>Schannel runs CRL checks on certificates unless peer verification is disabled. Secure Transport on iOS runs OCSP checks on certificates unless peer verification is disabled. Secure Transport on macOS runs either OCSP or CRL checks on certificates if those features are enabled, and this behavior can be adjusted in the preferences of Keychain Access.</p> <h2 id="https-proxy">HTTPS proxy</h2> <p>curl can do HTTPS to the proxy separately from the connection to the server. This TLS connection is handled and verified separately from the server connection so instead of <code>--insecure</code> and <code>--cacert</code> to control the certificate verification, you use <code>--proxy-insecure</code> and <code>--proxy-cacert</code>. With these options, you make sure that the TLS connection and the trust of the proxy can be kept totally separate from the TLS connection to the server.</p> </div> </div> </body> </html>