Default CA Cert Bundle Location

ssl-certificate curl
87,733

Solution 1

Running curl with strace might give you a clue.

strace curl https://www.google.com |& grep open

Lots of output, but right near the end I see:

open("/etc/ssl/certs/578d5c04.0", O_RDONLY) = 4

which /etc/ssl/certs/ is where my certificates are stored.

Solution 2

There should be a program 'curl-config' in curl's 'bin/', i.e. where the 'curl' binary resides.

./curl-config --ca

gives the ca bundle install path.

I just did a whatis curl-config: "Get information about a libcurl installation" so I guess it will only be available if libcurl was installed, which I presume is standard though.

Solution 3

I found an easy way: use the --cacert with a wrong file name, the output will show the path.

Example:

~$ curl --cacert non_existing_file https://www.google.com
curl: (77) error setting certificate verify locations:
  CAfile: non_existing_file
  CApath: /etc/ssl/certs

Solution 4

-v with https in the URL.

$ curl -v https://google.com
* Rebuilt URL to: https://google.com/
* timeout on name lookup is not supported
*   Trying 172.217.9.174...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to google.com (172.217.9.174) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   *CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt*

Solution 5

Linux (Ubuntu, Debian)

Copy your CA to dir /usr/local/share/ca-certificates/

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

Update the CA store

sudo update-ca-certificates

Remove your CA and update the CA store:

sudo update-ca-certificates --fresh

Linux (CentOs 6)

Install the ca-certificates package:

yum install ca-certificates

Enable the dynamic CA configuration feature: update-ca-trust force-enable Add it as a new file to /etc/pki/ca-trust/source/anchors/:

cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

Linux (CentOs 5)

Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt

cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt

https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html very nice link, which explains, how to add it to several popular OS.

Share:
87,733
Slinky
Author by

Slinky

Software developer for a large music retailer

Updated on September 18, 2022

Comments

  • Slinky
    Slinky over 1 year

    I need to add a .pem cert file to my default CA cert bundle but I don't know where the default CA Cert bundle is kept.

    I need to append my new .pem file to this default bundle. I'd rather do that than specify my own location using --capath

    cURL clearly knows where to look but I don't see any cURL commands that reveal the location. Is there a command that will reveal this location? How can I find it?

    According to cURL:
    Add the CA cert for your server to the existing default CA cert bundle. The default path of the CA bundle used can be changed by running configure with the --with-ca-bundle option pointing out the path of your choice.

    Thanks

    • iSee
      iSee about 11 years
      What operating system are you using?
  • Slinky
    Slinky about 11 years
    So I guess I just search for that file then...
  • offby1
    offby1 over 10 years
    Another idea: # strings /usr/lib64/libcurl.so.3 | egrep '^/' /etc/pki/tls/certs/ca-bundle.crt
  • Robert Dundon
    Robert Dundon over 6 years
    +1 for showing me about strace!
  • Mr. Lance E Sloan
    Mr. Lance E Sloan over 6 years
    The curl-config program isn't available with all versions of the program or installations. For example, some admins may not understand the purpose of the program and not install it because they think it's only a build configuration tool. Further, if the user that needs the program isn't the admin of a system they can't install it. I have access to two systems, one doesn't have this program, the other gives no output for curl-config --ca.
  • Mr. Lance E Sloan
    Mr. Lance E Sloan over 6 years
    strace not available on macOS, apparently. The "equivalent" dtruss told me "dtrace: failed to initialize dtrace: DTrace requires additional privileges". So I used sudo with it. To which it replied "dtrace: failed to execute curl: dtrace cannot control executables signed with restricted entitlements". Not very helpful.
  • Mr. Lance E Sloan
    Mr. Lance E Sloan over 6 years
    I thought this looked like a good solution. However, curl gave me the "77" error, but not the additional information.
  • Mr. Lance E Sloan
    Mr. Lance E Sloan over 6 years
    Nope. It didn't show anything like that for me. In fact, I compared the output of that with another run adding the -k option to see whether there's a difference. There was no difference.
  • Philip Rego
    Philip Rego over 6 years
    @LS do you have https in your URL?
  • Chananel P
    Chananel P over 6 years
    @L S try adding verbose flag: -v or --verbose
  • Ken Williams
    Ken Williams over 6 years
    I prefer this answer to the accepted one - using strace to find config information shouldn't be necessary.
  • dortegaoh
    dortegaoh over 4 years
    Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
  • BiG_NoBoDy
    BiG_NoBoDy over 4 years
    @GeraldSchneider > you comment read, and actioned ;)
  • MerlinTheMagic
    MerlinTheMagic almost 4 years
    curl with level one verbose will do the same, you dont need strace. "curl -v example.com |& grep "CAfile""
  • Giraffe
    Giraffe over 3 years
    What package is this found in? I find it's present in some OS's and not in others...
  • Giraffe
    Giraffe over 3 years
    For followers |& is syntactic sugar for 2>&1 |. @MerlinTheMagic it needs an https://example.com then it somewhat works, see Philip Rego's answer comments. Using dtruss in OS X is possible stackoverflow.com/questions/31045575/… but may not be acurrate superuser.com/questions/247686/wheres-the-ca-cert-bundle-on-‌​osx/…. It outputs CAfile: /etc/ssl/cert.pem and dtruss agrees but for the built-in curl may also be using CA root keys from the System KeyChain in addition (i.e. not using that file at all)
  • Giraffe
    Giraffe over 3 years
    Some distros don't use the path, only the single file, which will be absent from this output...
  • Giraffe
    Giraffe over 3 years
    Unfortunately for me on some boxes all it says is CAfile: none (even when working well) but it does show the right file on some other OS's, and may show the right path. Weird. I guess some have all the cert's in one file while other "split them up" and the latter doesn't show which one it uses. The strace trick seemed to work almost everywhere (see its comments).
  • rinogo
    rinogo over 3 years
    Didn't give any useful paths for me on CentOS 6 and curl 7.62.0.
  • Quinn Comendant
    Quinn Comendant over 2 years
    The |& syntax doesn't seem to work on older versions of bash, e.g., the one included on macOS Mojave.
  • 0andriy
    0andriy over 2 years
    Slightly better curl -v https://www.google.com 2>&1 | grep CApath.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot install anything with brew, Error: Failed to download resource "git--html"
curl - SSL peer does not support certificates of the type it received
Curl with custom certificate
How do I install a PFX certificate file into Ubuntu so Curl trusts it?
curl FTPS with client certificate to a vsftpd
How to alias a ssl certificate common name?
Adding a self-signed cert to the trusted certs within cURL in Windows?
cURL or SSL problems, how to solve?
curl fails to retrieve HTTPS content: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
Displaying a remote SSL certificate details using CLI tools