curl / Docs / Protocols / SSL Certificates
Related:
CA extract
File a bug about this page
Native vs file based
If curl was built with Schannel support, then curl uses the systemnative CA store for verification. All other TLS libraries use a filebased CA store by default.
Verification
Every trusted server certificate is digitally signed by a CertificateAuthority, a CA.
In your local CA store you have a collection of certificates fromtrusted certificate authorities that TLS clients like curl useto verify servers.
curl does certificate verification by default. This is done byverifying the signature and making sure the certificate was crafted forthe server name provided in the URL.
If you communicate with HTTPS, FTPS or other TLS-using servers usingcertificates signed by a CA whose certificate is present in the store,you can be sure that the remote server really is the one it claims tobe.
If the remote server uses a self-signed certificate, if you do notinstall a CA cert store, if the server uses a certificate signed by a CAthat is not included in the store you use or if the remote host is animpostor impersonating your favorite site, the certificate check failsand reports an error.
If you think it wrongly failed the verification, consider one of thefollowing sections.
Skip verification
Tell curl to not verify the peer with-k/--insecure.
We strongly recommend this is avoided and that evenif you end up doing this for experimentation or development,never skip verification in production.
Use a custom CA store
Get a CA certificate that can verify the remote server and use theproper option to point out this CA cert for verification when connecting- for this specific transfer only.
With the curl command line tool: --cacert [file]
If you use the curl command line tool without a native CA store, thenyou can specify your own CA cert file by setting the environmentvariable CURL_CA_BUNDLE to the path of your choice.SSL_CERT_FILE and SSL_CERT_DIR are alsosupported.
If you are using the curl command line tool on Windows, curl searchesfor a CA cert file named curl-ca-bundle.crt in thesedirectories and in this order:
- application's directory
- current working directory
- Windows System directory (e.g. C:\Windows\System32)
- Windows Directory (e.g. C:\Windows)
- all directories along %PATH%
curl 8.11.0 added a build-time option to disable this searchbehavior, and another option to restrict search to the application'sdirectory.
Use the native store
In several environments, in particular on Windows, you can ask curlto use the system's native CA store when verifying the certificate.
With the curl command line tool: --ca-native.
Modify the CA store
Add the CA cert for your server to the existing default CAcertificate store.
Usually you can figure out the path to the local CA store by lookingat the verbose output that curl -v shows when you connectto an HTTPS site.
Change curl's default CAstore
The default CA certificate store curl uses is set at build time. Whenyou build curl you can point out your preferred path.
Extract CA cert from aserver
curl -w %{certs} https://example.com > cacert.pemThe certificate has BEGIN CERTIFICATE andEND CERTIFICATE markers.
Get the Mozilla CA store
Download a version of the Firefox CA store converted to PEM format onthe CA Extract page.It always features the latest Firefox bundle.
Native CA store
If curl was built with Schannel or was instructed to use the nativeCA Store, then curl uses the certificates that are built into the OS.These are the same certificates that appear in the Internet Optionscontrol panel (under Windows) or Keychain Access application (undermacOS). Any custom security rules for certificates are honored.
Schannel runs CRL checks on certificates unless peer verification isdisabled.
HTTPS proxy
curl can do HTTPS to the proxy separately from the connection to theserver. This TLS connection is handled and verified separately from theserver connection so instead of --insecure and--cacert to control the certificate verification, you use--proxy-insecure and --proxy-cacert. Withthese options, you make sure that the TLS connection and the trust ofthe proxy can be kept totally separate from the TLS connection to theserver.
