Default CA Cert Bundle Location
Running curl
with strace
might give you a clue.
strace curl https://www.google.com |& grep open
Lots of output, but right near the end I see:
open("/etc/ssl/certs/578d5c04.0", O_RDONLY) = 4
which /etc/ssl/certs/
is where my certificates are stored.
There should be a program 'curl-config' in curl's 'bin/', i.e. where the 'curl' binary resides.
./curl-config --ca
gives the ca bundle install path.
I just did a whatis curl-config: "Get information about a libcurl installation" so I guess it will only be available if libcurl was installed, which I presume is standard though.
I found an easy way: use the --cacert
with a wrong file name, the output will show the path.
Example:
~$ curl --cacert non_existing_file https://www.google.com
curl: (77) error setting certificate verify locations:
CAfile: non_existing_file
CApath: /etc/ssl/certs
-v
with https in the URL.
$ curl -v https://google.com
* Rebuilt URL to: https://google.com/
* timeout on name lookup is not supported
* Trying 172.217.9.174...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to google.com (172.217.9.174) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* *CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt*
Linux (Ubuntu, Debian)
Copy your CA to dir /usr/local/share/ca-certificates/
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
Update the CA store
sudo update-ca-certificates
Remove your CA and update the CA store:
sudo update-ca-certificates --fresh
Linux (CentOs 6)
Install the ca-certificates package:
yum install ca-certificates
Enable the dynamic CA configuration feature: update-ca-trust force-enable
Add it as a new file to /etc/pki/ca-trust/source/anchors/
:
cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
Linux (CentOs 5)
Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt
https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html very nice link, which explains, how to add it to several popular OS.