Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including
Stack Overflow
, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Visit Stack Exchange
Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.
Sign up to join this community
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
I need to add a .pem cert file to my default CA cert bundle but I don't know where the default CA Cert bundle is kept.
I need to append my new .pem file to this default bundle. I'd rather do that than specify my own location using --capath
cURL clearly knows where to look but I don't see any cURL commands that reveal the location. Is there a command that will reveal this location? How can I find it?
According to cURL:
Add the CA cert for your server to the existing default CA cert bundle.
The default path of the CA bundle used can be changed by running configure
with the --with-ca-bundle option pointing out the path of your choice.
Thanks
Running
curl
with
strace
might give you a clue.
strace curl https://www.google.com |& grep open
Lots of output, but right near the end I see:
open("/etc/ssl/certs/578d5c04.0", O_RDONLY) = 4
which
/etc/ssl/certs/
is where my certificates are stored.
–
–
–
–
There should be a program 'curl-config' in curl's 'bin/', i.e. where the 'curl' binary resides.
./curl-config --ca
gives the ca bundle install path.
I just did a whatis curl-config: "Get information about a libcurl installation" so I guess it will only be available if libcurl was installed, which I presume is standard though.
–
–
–
I found an easy way: use the
--cacert
with a
wrong
file name, the output will show the path.
Example:
~$ curl --cacert non_existing_file https://www.google.com
curl: (77) error setting certificate verify locations:
CAfile: non_existing_file
CApath: /etc/ssl/certs
–
–
$ curl -v https://google.com
* Rebuilt URL to: https://google.com/
* timeout on name lookup is not supported
* Trying 172.217.9.174...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to google.com (172.217.9.174) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* *CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt*
–
–
Copy your CA to dir /usr/local/share/ca-certificates/
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
Update the CA store
sudo update-ca-certificates
Remove your CA and update the CA store:
sudo update-ca-certificates --fresh
Linux (CentOs 6)
Install the ca-certificates package:
yum install ca-certificates
Enable the dynamic CA configuration feature: update-ca-trust force-enable
Add it as a new file to /etc/pki/ca-trust/source/anchors/
:
cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
Linux (CentOs 5)
Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt
https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html very nice link,
which explains, how to add it to several popular OS.
–
–