Menu
When would one use the --cacert option vs. the --capath option within curl (CLI that is).
--cacert appears to reference a monolithic file that contains multiple PEMs. Assume it scans through to find the matching hostname?
--capath appears to reference a directory in which multiple files live. Does curl pick up the appropriate certificate as a filename therein?
582
With the curl command line tool: --cacert [file] Add the CA cert for your server to the existing default CA certificate store. The default CA certificate store can be changed at compile time with the following configure options: --with-ca-bundle=FILE: use the specified file as the CA certificate store.
To bypass certificate checking, pass -k or --insecure command-line switch to Curl. Click Run to execute the Curl HTTPS request online and see the results.
cert is public key certificate of my own site and . cacert is the intermediate certificate authority who issued the certificate.
pem is a bundle of CA certificates that you use to verify that the server is really the correct site you're talking to (when it presents its certificate in the SSL handshake). The bundle can be used by tools like curl or wget, as well as other TLS/SSL speaking software.
From the docs:
--cacert (HTTPS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. If this option is used several times, the last one will be used.
--capath (HTTPS) Tells curl to use the specified certificate directory to verify the peer. The certificates must be in PEM format, and the directory must have been processed using the c_rehash utility supplied with openssl. Certificate directories are not supported under Windows (because c_rehash uses symbolink links to create them). Using --capath can allow curl to make https connections much more efficiently than using --cacert if the --cacert file contains many CA certificates. If this option is used several times, the last one will be used.
So, if you specify --cacert, the CA certs are stored in the specified file. These CA certificates are used to verify the certs of remote servers that cURL connects to.
The --capath option is used to specify a directory containing the CA certs rather than a single file. The c_rehash utility should be used to prepare the directory i.e., create the necessary links. The main benefit of using --capath would appear to be that it's more efficient than the --cacert single file approach if you have many CA certs.
Here's a script that probably does what c_rehash does:
for file in *.pem; do ln -s $file `openssl x509 -hash -noout -in $file`.0; done With both options you should be careful to only include CA certs from CAs you trust. If for example, you know the remote servers should always be issued with certs from YourCompanyCA, then this is the only CA cert you should include.
123
On Windows you can run the following as a batch file and pass in the capath folder name:
c_rehash.cmd:
@echo off setlocal enableextensions enabledelayedexpansion if \%1\ EQU \\ goto :usage pushd %1 if NOT ERRORLEVEL 0 goto :usage del *.0 for %%I in (*.pem) do call :hash %%I popd goto :eof :hash for /F "usebackq" %%J in (`openssl x509 -in %1 -hash -noout`) do mklink %%J.0 %1 goto :eof :usage echo Usage: echo. echo Rehash a folder of x509 Certificates for Curl echo. echo %~n0 ^<Folder^> Example:
c_rehash c:\cacerts If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
