ssl certificate - Default CA Cert Bundle Location

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

苦闷的骆驼 · aria2开启JSON-RPC通过PHP添加 ...· 2 小时前 ·

宽容的企鹅 · PHP环境提取m3u8,PHP读取转发M3U ...· 2 小时前 ·

越狱的人字拖 · curl 模拟 GET\POST ...· 昨天 ·

私奔的红烧肉 · HTTP Request | ...· 3 天前 ·

道上混的丝瓜 · 微信H5支付SDK - 深度笔记· 6 天前 ·

玩篮球的茴香 · 惠州市第一中学· 2 天前 ·

还单身的弓箭 · 一季度部分城市楼市成交回暖 ...· 1 月前 ·

光明磊落的金针菇 · Memory exhausted with ...· 1 月前 ·

大鼻子的企鹅 · 最新事业单位招聘公告(2023年2月27日) ...· 2 月前 ·

爱听歌的机器人 · 台灣洗腎王國　腎氣不足恐連帶影響膀胱與心臟 ...· 3 月前 ·

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Visit Stack Exchange

Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

I need to add a .pem cert file to my default CA cert bundle but I don't know where the default CA Cert bundle is kept.

I need to append my new .pem file to this default bundle. I'd rather do that than specify my own location using --capath

cURL clearly knows where to look but I don't see any cURL commands that reveal the location. Is there a command that will reveal this location? How can I find it?

According to cURL:
Add the CA cert for your server to the existing default CA cert bundle. The default path of the CA bundle used can be changed by running configure with the --with-ca-bundle option pointing out the path of your choice.

Thanks

Running curl with strace might give you a clue.

strace curl https://www.google.com |& grep open

Lots of output, but right near the end I see:

open("/etc/ssl/certs/578d5c04.0", O_RDONLY) = 4

which /etc/ssl/certs/ is where my certificates are stored.


    strace

not available on macOS, apparently. The "equivalent"


    dtruss

told me "dtrace: failed to initialize dtrace: DTrace requires additional privileges". So I used


    sudo

with it. To which it replied "dtrace: failed to execute curl: dtrace cannot control executables signed with restricted entitlements". Not very helpful. – Mr. Lance E Sloan Dec 1, 2017 at 17:23 curl with level one verbose will do the same, you dont need strace. "curl -v example.com |& grep "CAfile"" – MerlinTheMagic Jun 22, 2020 at 9:56 For followers

|&

is syntactic sugar for


    2>&1 |

. @MerlinTheMagic it needs an


    https://example.com

then it somewhat works, see Philip Rego's answer comments. Using


    dtruss

in OS X is possible stackoverflow.com/questions/31045575/… but may not be acurrate superuser.com/questions/247686/wheres-the-ca-cert-bundle-on-osx/… . It outputs


    CAfile: /etc/ssl/cert.pem

and dtruss agrees but for the built-in curl may also be using CA root keys from the System KeyChain in addition (i.e. not using that file at all) – rogerdpack Dec 15, 2020 at 17:59 The

|&

syntax doesn't seem to work on older versions of bash, e.g., the one included on macOS Mojave. – Quinn Comendant Oct 2, 2021 at 3:25

There should be a program 'curl-config' in curl's 'bin/', i.e. where the 'curl' binary resides.

./curl-config --ca

gives the ca bundle install path.

I just did a whatis curl-config: "Get information about a libcurl installation" so I guess it will only be available if libcurl was installed, which I presume is standard though.

I had to install a package on Ubuntu to run this (you will be shown a list of available options if it's not installed), but using this command led me to the right place! – Robert Dundon Nov 28, 2017 at 20:34 The


    curl-config

program isn't available with all versions of the program or installations. For example, some admins may not understand the purpose of the program and not install it because they think it's only a build configuration tool. Further, if the user that needs the program isn't the admin of a system they can't install it. I have access to two systems, one doesn't have this program, the other gives no output for


    curl-config --ca

. – Mr. Lance E Sloan Dec 1, 2017 at 17:13 I prefer this answer to the accepted one - using


    strace

to find config information shouldn't be necessary. – Ken Williams Dec 28, 2017 at 18:35

I found an easy way: use the --cacert with a wrong file name, the output will show the path.

Example:

~$ curl --cacert non_existing_file https://www.google.com
curl: (77) error setting certificate verify locations:
  CAfile: non_existing_file
  CApath: /etc/ssl/certs
                I thought this looked like a good solution.  However, curl gave me the "77" error, but not the additional information.
– Mr. Lance E Sloan
                Dec 1, 2017 at 17:26
                Some distros don't use the path, only the single file, which will be absent from this output...
– rogerdpack
                Dec 15, 2020 at 18:03
$ curl -v https://google.com
* Rebuilt URL to: https://google.com/
* timeout on name lookup is not supported
*   Trying 172.217.9.174...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to google.com (172.217.9.174) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   *CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt*
                Nope.  It didn't show anything like that for me.  In fact, I compared the output of that with another run adding the -k option to see whether there's a difference.  There was no difference.
– Mr. Lance E Sloan
                Dec 1, 2017 at 17:31
                Unfortunately for me on some boxes all it says is CAfile: none (even when working well) but it does show the right file on some other OS's, and may show the right path. Weird. I guess some have all the cert's in one file while other "split them up" and the latter doesn't show which one it uses. The strace trick seemed to work almost everywhere (see its comments).
– rogerdpack
                Dec 15, 2020 at 18:06
Copy your CA to dir /usr/local/share/ca-certificates/
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
Update the CA store
sudo update-ca-certificates
Remove your CA and update the CA store:
sudo update-ca-certificates --fresh
Linux (CentOs 6)
Install the ca-certificates package:
yum install ca-certificates
Enable the dynamic CA configuration feature: update-ca-trust force-enable
Add it as a new file to /etc/pki/ca-trust/source/anchors/:
cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
Linux (CentOs 5)
Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt
https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html very nice link,
which explains, how to add it to several popular OS.
                Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
– Gerald Schneider
                Aug 13, 2019 at 12:20
                Another idea:      # strings /usr/lib64/libcurl.so.3 | egrep '^/'      /etc/pki/tls/certs/ca-bundle.crt
– offby1
                Aug 30, 2013 at 18:57

Stack Exchange Network

Linux (CentOs 6)

Linux (CentOs 5)