51

I need to add a .pem cert file to my default CA cert bundle but I don't know where the default CA Cert bundle is kept.

I need to append my new .pem file to this default bundle. I'd rather do that than specify my own location using --capath

cURL clearly knows where to look but I don't see any cURL commands that reveal the location. Is there a command that will reveal this location? How can I find it?

According to cURL:
Add the CA cert for your server to the existing default CA cert bundle. The default path of the CA bundle used can be changed by running configure with the --with-ca-bundle option pointing out the path of your choice.

Thanks

Slinky
  • 1,077

7 Answers7

55

Running curl with strace might give you a clue.

strace curl https://www.google.com |& grep open

Lots of output, but right near the end I see:

open("/etc/ssl/certs/578d5c04.0", O_RDONLY) = 4

which /etc/ssl/certs/ is where my certificates are stored.

rogerdpack
  • 587
Flup
  • 8,398
27

There should be a program 'curl-config' in curl's 'bin/', i.e. where the 'curl' binary resides.

./curl-config --ca

gives the ca bundle install path.

I just did a whatis curl-config: "Get information about a libcurl installation" so I guess it will only be available if libcurl was installed, which I presume is standard though.

lm713
  • 379
  • 3
  • 5
15

I found an easy way: use the --cacert with a wrong file name, the output will show the path.

Example:

~$ curl --cacert non_existing_file https://www.google.com
curl: (77) error setting certificate verify locations:
  CAfile: non_existing_file
  CApath: /etc/ssl/certs
Chananel P
  • 259
14

-v with https in the URL.

$ curl -v https://google.com
* Rebuilt URL to: https://google.com/
* timeout on name lookup is not supported
*   Trying 172.217.9.174...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to google.com (172.217.9.174) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   *CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt*
Philip Rego
  • 272
  • 2
  • 6
  • 14
7

Linux (Ubuntu, Debian)

Copy your CA to dir /usr/local/share/ca-certificates/

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

Update the CA store

sudo update-ca-certificates

Remove your CA and update the CA store:

sudo update-ca-certificates --fresh

Linux (CentOs 6)

Install the ca-certificates package:

yum install ca-certificates

Enable the dynamic CA configuration feature: update-ca-trust force-enable Add it as a new file to /etc/pki/ca-trust/source/anchors/:

cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

Linux (CentOs 5)

Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt

cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt

https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html very nice link, which explains, how to add it to several popular OS.

BiG_NoBoDy
  • 148
2

you could download the CA Root Certificates bundle from haxx.se who are the creators of curl. then just append your certificate in their .pem and refer to it when using curl with the --cacert option

iammyr
  • 21
  • 1
0

The default CA bundle location is OS dependent. On RHEL5, it is located in /etc/pki/tls/certs/ca-bundle.pem. On other flavors of Linux or non-linux OSes, it may be in a different location.

John
  • 9,208
  • 1
  • 32
  • 34