46

I need to add a .pem cert file to my default CA cert bundle but I don't know where the default CA Cert bundle is kept.

I need to append my new .pem file to this default bundle. I'd rather do that than specify my own location using --capath

cURL clearly knows where to look but I don't see any cURL commands that reveal the location. Is there a command that will reveal this location? How can I find it?

According to cURL:
Add the CA cert for your server to the existing default CA cert bundle. The default path of the CA bundle used can be changed by running configure with the --with-ca-bundle option pointing out the path of your choice.

Thanks

Slinky
  • 957
  • 3
  • 14
  • 25

7 Answers7

46

Running curl with strace might give you a clue.

strace curl https://www.google.com |& grep open

Lots of output, but right near the end I see:

open("/etc/ssl/certs/578d5c04.0", O_RDONLY) = 4

which /etc/ssl/certs/ is where my certificates are stored.

rogerdpack
  • 575
  • 2
  • 8
  • 22
Flup
  • 7,688
  • 1
  • 31
  • 43
  • 3
    +1 for showing me about `strace`! – Robert Dundon Nov 28 '17 at 19:55
  • 1
    `strace` not available on macOS, apparently. The "equivalent" `dtruss` told me "dtrace: failed to initialize dtrace: DTrace requires additional privileges". So I used `sudo` with it. To which it replied "dtrace: failed to execute curl: dtrace cannot control executables signed with restricted entitlements". Not very helpful. – Mr. Lance E Sloan Dec 01 '17 at 17:23
  • 2
    curl with level one verbose will do the same, you dont need strace. "curl -v https://example.com/ |& grep "CAfile"" – MerlinTheMagic Jun 22 '20 at 09:56
  • 2
    For followers `|&` is syntactic sugar for `2>&1 |`. @MerlinTheMagic it needs an `https://example.com` then it somewhat works, see Philip Rego's answer comments. Using `dtruss` in OS X is possible https://stackoverflow.com/questions/31045575/how-to-trace-system-calls-of-a-program-in-mac-os-x but may not be acurrate https://superuser.com/questions/247686/wheres-the-ca-cert-bundle-on-osx/247739#247739. It outputs `CAfile: /etc/ssl/cert.pem` and dtruss agrees but for the built-in curl may also be using CA root keys from the System KeyChain in addition (i.e. not using that file at all) – rogerdpack Dec 15 '20 at 17:59
  • 1
    The `|&` syntax doesn't seem to work on older versions of bash, e.g., the one included on macOS Mojave. – Quinn Comendant Oct 02 '21 at 03:25
26

There should be a program 'curl-config' in curl's 'bin/', i.e. where the 'curl' binary resides.

./curl-config --ca

gives the ca bundle install path.

I just did a whatis curl-config: "Get information about a libcurl installation" so I guess it will only be available if libcurl was installed, which I presume is standard though.

lm713
  • 369
  • 3
  • 5
  • 2
    I had to install a package on Ubuntu to run this (you will be shown a list of available options if it's not installed), but using this command led me to the right place! – Robert Dundon Nov 28 '17 at 20:34
  • 3
    The `curl-config` program isn't available with all versions of the program or installations. For example, some admins may not understand the purpose of the program and not install it because they think it's only a build configuration tool. Further, if the user that needs the program isn't the admin of a system they can't install it. I have access to two systems, one doesn't have this program, the other gives *no output* for `curl-config --ca`. – Mr. Lance E Sloan Dec 01 '17 at 17:13
  • 1
    I prefer this answer to the accepted one - using `strace` to find config information shouldn't be necessary. – Ken Williams Dec 28 '17 at 18:35
  • 1
    What package is this found in? I find it's present in some OS's and not in others... – rogerdpack Dec 15 '20 at 17:26
13

I found an easy way: use the --cacert with a wrong file name, the output will show the path.

Example:

~$ curl --cacert non_existing_file https://www.google.com
curl: (77) error setting certificate verify locations:
  CAfile: non_existing_file
  CApath: /etc/ssl/certs
Chananel P
  • 239
  • 2
  • 4
8

-v with https in the URL.

$ curl -v https://google.com
* Rebuilt URL to: https://google.com/
* timeout on name lookup is not supported
*   Trying 172.217.9.174...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to google.com (172.217.9.174) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   *CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt*
Philip Rego
  • 190
  • 1
  • 4
  • 12
  • Nope. It didn't show anything like that for me. In fact, I compared the output of that with another run adding the `-k` option to see whether there's a difference. There was no difference. – Mr. Lance E Sloan Dec 01 '17 at 17:31
  • 1
    @LS do you have https in your URL? – Philip Rego Dec 02 '17 at 18:09
  • Unfortunately for me on some boxes all it says is `CAfile: none` (even when working well) but it does show the right file on some other OS's, and may show the right path. Weird. I guess some have all the cert's in one file while other "split them up" and the latter doesn't show which one it uses. The strace trick seemed to work almost everywhere (see its comments). – rogerdpack Dec 15 '20 at 18:06
  • Slightly better `curl -v https://www.google.com 2>&1 | grep CApath`. – 0andriy Oct 22 '21 at 14:10
6

Linux (Ubuntu, Debian)

Copy your CA to dir /usr/local/share/ca-certificates/

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

Update the CA store

sudo update-ca-certificates

Remove your CA and update the CA store:

sudo update-ca-certificates --fresh

Linux (CentOs 6)

Install the ca-certificates package:

yum install ca-certificates

Enable the dynamic CA configuration feature: update-ca-trust force-enable Add it as a new file to /etc/pki/ca-trust/source/anchors/:

cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

Linux (CentOs 5)

Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt

cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt

https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html very nice link, which explains, how to add it to several popular OS.

BiG_NoBoDy
  • 138
  • 1
  • 8
  • Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackoverflow.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – Gerald Schneider Aug 13 '19 at 12:20
  • @GeraldSchneider > you comment read, and actioned ;) – BiG_NoBoDy Aug 14 '19 at 13:09
2

you could download the CA Root Certificates bundle from haxx.se who are the creators of curl. then just append your certificate in their .pem and refer to it when using curl with the --cacert option

iammyr
  • 21
  • 1
0

The default CA bundle location is OS dependent. On RHEL5, it is located in /etc/pki/tls/certs/ca-bundle.pem. On other flavors of Linux or non-linux OSes, it may be in a different location.

John
  • 8,920
  • 1
  • 28
  • 34