How do I keep my cacert.pem current for security reasons when using curl?

Question

I would like to keep my root certificates current for use with cURL and PHP's internal curl command, however there is no parameter currently to download the current file it requires for a proper secure connection and to keep it current.

And example of using curl in PHP for a secure connection which requires a file named cacert.pem (PEM encoded certificate chain for validating remote connections) is as follows :

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.google.com");
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 15);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_CAINFO, "pathto/cacert.pem");
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
if (!($data = curl_exec($ch))) {
    echo "No data received";
} else {
    echo strlen($data) + " total byte(s)";
}
curl_close($ch);

While most people simply set CURLOPT_SSL_VERIFYPEER to false, and thus ignore the problem, which is bad . You can see here where a certificate authority shows that if you do not have this file current, the only way to connect to a secure server is to disable certificate checking and further warns of the implications behind disabling peer verification.

What I am requesting is for a legitimate way to maintain a local copy of cacert.pem so that when I use curl in PHP to communicate with other servers, I can continue to do so securely .

This is not a request for an external resource or off-site link etc, however due to the nature of the problem, it is likely that may be the ONLY way to resolve this as it would require continuous updating as certificate chains are revoked. To date, there is no way to obtain this file either as part of the distribution of curl itself, or php, or the curl library for php and continue to maintain it. While it is discouraging that this is not something which a simple update command like curl --update-root-ca would be nice, it does not exist in any form.

Answer 1

cacert.pem is used by curl. There is no ultimate authority on which certificates are to be trusted, but the lists used by web browsers are a good source. These lists are constantly updated due to CA changes and changes to security practices.

The authors of curl maintain a tool which can extract a cacert.pem from Firefox, and post a reasonably up-to-date output on their site:

• cacert.pem generated by the authors of curl
• caextract: for the most security-conscious, download the tool, inspect the source code and run it against your own Firefox.

Answer 2

Since initially writing this article, (and thus this rewrite), I was able to resolve my own problem by including links directly to the only legitimate source to maintain this file which is provided on the site maintained by the author of curl at this location

Further as technology is advancing this question has been updated to show how to use curl in PHP and force TLS v1.2 connection (something which certain transaction providers require or recommend and may not supply the information on how to do this).

Regarding certificate authorities, there are a few key root authorities such as :

• Symantec
• RapidSSL
• thawte
• GeoTrust
• Comodo

As well as other authorities by their nature such as

• Microsoft
• Mozilla
• Google

Which can be a frame for anyone looking to maintain their own cacert.pem. Keep in mind that you would need to download their revocation lists (certificates that have been breached or expired) from the respective crl's to maintain a proper trust mechanism, while you should be able to get away with just downloading their root certificate chains and using those as a local authorative file as your cacert.pem.