Default CA Cert Bundle Location
Solution 1
Running curl
with strace
might give you a clue.
strace curl https://www.google.com |& grep open
Lots of output, but right near the end I see:
open("/etc/ssl/certs/578d5c04.0", O_RDONLY) = 4
which /etc/ssl/certs/
is where my certificates are stored.
Solution 2
There should be a program 'curl-config' in curl's 'bin/', i.e. where the 'curl' binary resides.
./curl-config --ca
gives the ca bundle install path.
I just did a whatis curl-config: "Get information about a libcurl installation" so I guess it will only be available if libcurl was installed, which I presume is standard though.
Solution 3
I found an easy way: use the --cacert
with a wrong file name, the output will show the path.
Example:
~$ curl --cacert non_existing_file https://www.google.com
curl: (77) error setting certificate verify locations:
CAfile: non_existing_file
CApath: /etc/ssl/certs
Solution 4
-v
with https in the URL.
$ curl -v https://google.com
* Rebuilt URL to: https://google.com/
* timeout on name lookup is not supported
* Trying 172.217.9.174...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to google.com (172.217.9.174) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* *CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt*
Solution 5
Linux (Ubuntu, Debian)
Copy your CA to dir /usr/local/share/ca-certificates/
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
Update the CA store
sudo update-ca-certificates
Remove your CA and update the CA store:
sudo update-ca-certificates --fresh
Linux (CentOs 6)
Install the ca-certificates package:
yum install ca-certificates
Enable the dynamic CA configuration feature: update-ca-trust force-enable
Add it as a new file to /etc/pki/ca-trust/source/anchors/
:
cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
Linux (CentOs 5)
Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt
https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html very nice link, which explains, how to add it to several popular OS.
Comments
-
Slinky over 1 year
I need to add a .pem cert file to my default CA cert bundle but I don't know where the default CA Cert bundle is kept.
I need to append my new .pem file to this default bundle. I'd rather do that than specify my own location using --capath
cURL clearly knows where to look but I don't see any cURL commands that reveal the location. Is there a command that will reveal this location? How can I find it?
According to cURL:
Add the CA cert for your server to the existing default CA cert bundle. The default path of the CA bundle used can be changed by running configure with the --with-ca-bundle option pointing out the path of your choice.Thanks
-
iSee about 11 yearsWhat operating system are you using?
-
-
Slinky about 11 yearsSo I guess I just search for that file then...
-
offby1 over 10 yearsAnother idea: # strings /usr/lib64/libcurl.so.3 | egrep '^/' /etc/pki/tls/certs/ca-bundle.crt
-
Robert Dundon over 6 years+1 for showing me about
strace
! -
Mr. Lance E Sloan over 6 yearsThe
curl-config
program isn't available with all versions of the program or installations. For example, some admins may not understand the purpose of the program and not install it because they think it's only a build configuration tool. Further, if the user that needs the program isn't the admin of a system they can't install it. I have access to two systems, one doesn't have this program, the other gives no output forcurl-config --ca
. -
Mr. Lance E Sloan over 6 years
strace
not available on macOS, apparently. The "equivalent"dtruss
told me "dtrace: failed to initialize dtrace: DTrace requires additional privileges". So I usedsudo
with it. To which it replied "dtrace: failed to execute curl: dtrace cannot control executables signed with restricted entitlements". Not very helpful. -
Mr. Lance E Sloan over 6 yearsI thought this looked like a good solution. However, curl gave me the "77" error, but not the additional information.
-
Mr. Lance E Sloan over 6 yearsNope. It didn't show anything like that for me. In fact, I compared the output of that with another run adding the
-k
option to see whether there's a difference. There was no difference. -
Philip Rego over 6 years@LS do you have https in your URL?
-
Chananel P over 6 years@L S try adding verbose flag: -v or --verbose
-
Ken Williams over 6 yearsI prefer this answer to the accepted one - using
strace
to find config information shouldn't be necessary. -
dortegaoh over 4 yearsWhilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
-
BiG_NoBoDy over 4 years@GeraldSchneider > you comment read, and actioned ;)
-
MerlinTheMagic almost 4 yearscurl with level one verbose will do the same, you dont need strace. "curl -v example.com |& grep "CAfile""
-
Giraffe over 3 yearsWhat package is this found in? I find it's present in some OS's and not in others...
-
Giraffe over 3 yearsFor followers
|&
is syntactic sugar for2>&1 |
. @MerlinTheMagic it needs anhttps://example.com
then it somewhat works, see Philip Rego's answer comments. Usingdtruss
in OS X is possible stackoverflow.com/questions/31045575/… but may not be acurrate superuser.com/questions/247686/wheres-the-ca-cert-bundle-on-osx/…. It outputsCAfile: /etc/ssl/cert.pem
and dtruss agrees but for the built-in curl may also be using CA root keys from the System KeyChain in addition (i.e. not using that file at all) -
Giraffe over 3 yearsSome distros don't use the path, only the single file, which will be absent from this output...
-
Giraffe over 3 yearsUnfortunately for me on some boxes all it says is
CAfile: none
(even when working well) but it does show the right file on some other OS's, and may show the right path. Weird. I guess some have all the cert's in one file while other "split them up" and the latter doesn't show which one it uses. The strace trick seemed to work almost everywhere (see its comments). -
rinogo over 3 yearsDidn't give any useful paths for me on CentOS 6 and curl 7.62.0.
-
Quinn Comendant over 2 yearsThe
|&
syntax doesn't seem to work on older versions of bash, e.g., the one included on macOS Mojave. -
0andriy over 2 yearsSlightly better
curl -v https://www.google.com 2>&1 | grep CApath
.