Default CA Cert Bundle Location

Running curl with strace might give you a clue.

strace curl https://www.google.com |& grep open

Lots of output, but right near the end I see:

open("/etc/ssl/certs/578d5c04.0", O_RDONLY) = 4

which /etc/ssl/certs/ is where my certificates are stored.


There should be a program 'curl-config' in curl's 'bin/', i.e. where the 'curl' binary resides.

./curl-config --ca

gives the ca bundle install path.

I just did a whatis curl-config: "Get information about a libcurl installation" so I guess it will only be available if libcurl was installed, which I presume is standard though.


I found an easy way: use the --cacert with a wrong file name, the output will show the path.

Example:

~$ curl --cacert non_existing_file https://www.google.com
curl: (77) error setting certificate verify locations:
  CAfile: non_existing_file
  CApath: /etc/ssl/certs

-v with https in the URL.

$ curl -v https://google.com
* Rebuilt URL to: https://google.com/
* timeout on name lookup is not supported
*   Trying 172.217.9.174...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to google.com (172.217.9.174) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   *CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt*

Linux (Ubuntu, Debian)

Copy your CA to dir /usr/local/share/ca-certificates/

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

Update the CA store

sudo update-ca-certificates

Remove your CA and update the CA store:

sudo update-ca-certificates --fresh

Linux (CentOs 6)

Install the ca-certificates package:

yum install ca-certificates

Enable the dynamic CA configuration feature: update-ca-trust force-enable Add it as a new file to /etc/pki/ca-trust/source/anchors/:

cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

Linux (CentOs 5)

Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt

cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt

https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html very nice link, which explains, how to add it to several popular OS.