<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>curl - Extract CA Certs from Mozilla</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <link rel="stylesheet" type="text/css" href="/curl.css"> <link rel="shortcut icon" href="/favicon.ico"> <link rel="icon" href="/logo/curl-symbol.svg" type="image/svg+xml"> <link rel="alternate" type="application/rss+xml" title="cURL Releases" href="https://github.com/curl/curl/releases.atom"> </head> <body> <div class="main"> <div class="menu"> <a href="/docs/" class="menuitem" title="Documentation Overview">Docs Overview</a> <div class="dropdown"> <a class="dropbtn" href="/docs/projdocs.html">Project</a> <div class="dropdown-content"> <a href="/docs/bugbounty.html">Bug Bounty</a> <a href="/docs/bugs.html">Bug Report</a> <a href="/docs/code-of-conduct.html">Code of conduct</a> <a href="/docs/libs.html">Dependencies</a> <a href="/donation.html">Donate</a> <a href="/docs/faq.html">FAQ</a> <a href="/docs/features.html">Features</a> <a href="/docs/governance.html">Governance</a> <a href="/docs/history.html">History</a> <a href="/docs/install.html">Install</a> <a href="/docs/knownbugs.html">Known Bugs</a> <a href="/logo/">Logo</a> <a href="/docs/todo.html">TODO</a> <a href="/about.html">website Info</a> </div> </div> <div class="dropdown"> <a class="dropbtn" href="/docs/protdocs.html">Protocols</a> <div class="dropdown-content"> <a href="/docs/caextract.html">CA Extract</a> <a href="/docs/http-cookies.html">HTTP cookies</a> <a href="/docs/http3.html">HTTP/3</a> <a href="/docs/mqtt.html">MQTT</a> <a href="/docs/sslcerts.html">SSL certs</a> <a href="/docs/ssl-compared.html">SSL libs compared</a> <a href="/docs/url-syntax.html">URL syntax</a> <a href="/docs/websocket.html">WebSocket</a> </div> </div> <div class="dropdown"> <a class="dropbtn" href="/docs/reldocs.html">Releases</a> <div class="dropdown-content"> <a href="/ch/">Changelog</a> <a href="/docs/security.html">curl CVEs</a> <a href="/docs/releases.html">Release Table</a> <a href="/docs/versions.html">Version Numbering</a> <a href="/docs/vulnerabilities.html">Vulnerabilities</a> </div> </div> <div class="dropdown"> <a class="dropbtn" href="/docs/tooldocs.html">Tool</a> <div class="dropdown-content"> <a href="/docs/comparison-table.html">Comparison Table</a> <a href="/docs/manpage.html">curl man page</a> <a href="/docs/httpscripting.html">HTTP Scripting</a> <a href="/docs/mk-ca-bundle.html">mk-ca-bundle</a> <a href="/docs/tutorial.html">Tutorial</a> <a href="optionswhen.html">When options were added</a> </div> </div> <div class="dropdown"> <a class="dropbtn" href="/docs/whodocs.html">Who and Why</a> <div class="dropdown-content"> <a href="/docs/companies.html">Companies</a> <a href="/docs/copyright.html">Copyright</a> <a href="/sponsors.html">Sponsors</a> <a href="/docs/thanks.html">Thanks</a> <a href="/docs/thename.html">The name</a> </div> </div> </div> <div class="badge"> Come join us at <a href="https://github.com/curl/curl-up/wiki/2025">curl up 2025</a> on May 3 - 4 in Prague. Attend, speak, sponsor! </div> <div class="contents"> <div class="where"><a href="/">curl</a> / <a href="/docs/">Docs</a> / <a href="/docs/protdocs.html">Protocols</a> / <b>CA Extract</b></div> <h1> CA certificates extracted from Mozilla </h1> <div class="relatedbox"> <b>Related:</b> <br><a href="sslcerts.html">SSL Certs</a> </div> <p> The Mozilla CA certificate store in PEM format (around 200KB uncompressed): <p> <big><a href="../ca/cacert.pem">cacert.pem</a></big> <p> This bundle was generated at <b> Tue Feb 25 04:12:03 2025 GMT </b>. <p> This PEM file contains the datestamp of the conversion and we only make a new conversion if there is a change in either the script or the source file. This service checks for updates every day. Here's the <a href="../ca/cacert.pem.sha256">sha256sum</a> of the current PEM file. <h2> filename </h2> <p> Some programs will expect this file to be named <tt>ca-bundle.crt</tt> (in the correct path). curl on windows has a system to find it if named <tt>curl-ca-bundle.crt</tt>. <h2> CA file revisions per date of appearance </h2> <p><ul> <table><tr><th>Date</th><th>Certificates</th><tr> <tr ><td><a href="/ca/cacert-2025-02-25.pem">2025-02-25</a> (<a href="/ca/cacert-2025-02-25.pem.sha256">sha256</a>)</td> <td align=center>150</td></tr> <tr class="odd"><td><a href="/ca/cacert-2024-12-31.pem">2024-12-31</a> (<a href="/ca/cacert-2024-12-31.pem.sha256">sha256</a>)</td> <td align=center>149</td></tr> <tr ><td><a href="/ca/cacert-2024-11-26.pem">2024-11-26</a> (<a href="/ca/cacert-2024-11-26.pem.sha256">sha256</a>)</td> <td align=center>152</td></tr> <tr class="odd"><td><a href="/ca/cacert-2024-09-24.pem">2024-09-24</a> (<a href="/ca/cacert-2024-09-24.pem.sha256">sha256</a>)</td> <td align=center>151</td></tr> <tr ><td><a href="/ca/cacert-2024-07-02.pem">2024-07-02</a> (<a href="/ca/cacert-2024-07-02.pem.sha256">sha256</a>)</td> <td align=center>147</td></tr> <tr class="odd"><td><a href="/ca/cacert-2024-03-11.pem">2024-03-11</a> (<a href="/ca/cacert-2024-03-11.pem.sha256">sha256</a>)</td> <td align=center>147</td></tr> <tr ><td><a href="/ca/cacert-2023-12-12.pem">2023-12-12</a> (<a href="/ca/cacert-2023-12-12.pem.sha256">sha256</a>)</td> <td align=center>145</td></tr> <tr class="odd"><td><a href="/ca/cacert-2023-08-22.pem">2023-08-22</a> (<a href="/ca/cacert-2023-08-22.pem.sha256">sha256</a>)</td> <td align=center>141</td></tr> <tr ><td><a href="/ca/cacert-2023-05-30.pem">2023-05-30</a> (<a href="/ca/cacert-2023-05-30.pem.sha256">sha256</a>)</td> <td align=center>137</td></tr> <tr class="odd"><td><a href="/ca/cacert-2023-01-10.pem">2023-01-10</a> (<a href="/ca/cacert-2023-01-10.pem.sha256">sha256</a>)</td> <td align=center>137</td></tr> </table> </ul> <h2> Missing Name Constraints </h2> <p> The converted PEM file only contains the digital signatures for CAs. Several of those CAs have constraints in Firefox (and other browsers) to only be allowed for certain domains and other similar additional conditions. Those constraints are thus <b>not</b> brought along in this cacert file! <h2> CA certificate store license </h2> <p> The PEM file is only a converted version of the original one and thus it is licensed under the same license as the Mozilla source file: MPL 2.0 <h2> Automated downloads from here </h2> <p> We do not mind you downloading the PEM file from us in an automated fashion. <p> A suitable curl command line to only download it when it has changed: <pre> curl <a href="/docs/manpage.html#--etag-compare">--etag-compare</a> etag.txt <a href="/docs/manpage.html#--etag-save">--etag-save</a> etag.txt <a href="/docs/manpage.html#-O">--remote-name</a> https://curl.se/ca/cacert.pem </pre> Or if you use an ancient curl version that does not support etags: <pre> curl <a href="/docs/manpage.html#-O">--remote-name</a> <a href="/docs/manpage.html#-z">--time-cond</a> cacert.pem https://curl.se/ca/cacert.pem </pre> <h2> The conversion script mk-ca-bundle </h2> <p> The <a href="mk-ca-bundle.html">mk-ca-bundle</a> tool converts <a href="https://www.mozilla.org/">Mozilla</a>'s certificate store to PEM format, suitable for (lib)curl and others. <h2> Convert from your local Firefox installation </h2> <p> You can also extract the ca certs off your Firefox installation, if you just have the 'certutil' tool installed and run the <a href="https://github.com/curl/curl/blob/master/scripts/firefox-db2pem.sh">firefox-db2pem.sh</a> script! </ol> </div> </div> </body> </html>