Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What exactly is cacert.pem for?

Tags:

curl

ssl

ssl-certificate

In my PayPal Pro payment page I use the cURL function curl_setopt_array() with the following option : cUIn CURLOPT_CAINFO => dirname(__FILE__) . '/cacert.pem'.

Works fine, however even after some research I don't understand what exactly is cacert.pem for. I don't understand the concept of "verification against" that is mentioned everywhere. And what is the relationship between this file and the .csr/.crt certificate I bought to my provider?

like image 564
drake035 Avatar asked Feb 20 '13 19:02

drake035

People also ask

What does CAcert pem do?

The cacert. pem file is used to validate the Verify tenant server TLS certificate. It has a list of certificate authorities that are acceptable signers of the server certificate.

What is CAcert used for?

The cacerts file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file using keytool, specifying jks as the keystore type. The cacerts keystore file ships with several root CA certificates. The initial password of the cacerts keystore file is changeit .

Where should I put CAcert pem?

You have to put your certificate into /usr/share/ca-certificates folder instead of /usr/local/share/ca-certificates , and then append a line for your certificate into the configuration file /etc/ca-certificates.

What is CAcert in SSL?

The cacerts file is a collection of trusted certificate authority (CA) certificates. Oracle includes a cacerts file with its SSL support in the Java™ Secure Socket Extension (JSSE) tool kit and JDK. It contains certificate references for well-known Certificate authorities, such as VeriSign™.

1 Answers

cacert.pem is a bundle of CA certificates that you use to verify that the server is really the correct site you're talking to (when it presents its certificate in the SSL handshake). The bundle can be used by tools like curl or wget, as well as other TLS/SSL speaking software. The bundle should contain the certificates for the CAs you trust. This bundle is sometimes referred to as the "CA cert store".

Example:

curl --cacert cacert.pem https://example.com

In the curl project, there's a cacert.pem being provided that is converted from the ca certs Mozilla ships for Firefox.

It is done by the use of digital signatures. For the full explanation of what a CA (certificate authority) is, I refer to wikipedia.

like image 144
Daniel Stenberg Avatar answered Sep 18 '22 15:09

Daniel Stenberg
Sign in to Comment

Related questions

HTTPS error "data length too long" in s3_pkt.c from Socket.io
Chromium throws NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED [closed]
Chrome NET::ERR_CERT_AUTHORITY_INVALID error on self signing certificate at LocalHost
Custom SSL handling stopped working on Android 2.2 FroYo
Enable SSL for my WCF service
HttpGet with HTTPS : SSLPeerUnverifiedException
Error "You're accessing the development server over HTTPS, but it only supports HTTP"
Java and SSL - java.security.NoSuchAlgorithmException
How can I make cookies secure (https-only) by default in rails?
Use self signed certificate with cURL?
Best practices for using ServerCertificateValidationCallback
Configuring MAMP for SSL
php ratchet websocket SSL connect?
Is TLS 1.1 and TLS 1.2 enabled by default for .NET 4.5 and .NET 4.5.1?
iOS app SSL handshake failed
Apache Name Virtual Host with SSL
Difference between --cacert and --capath in curl?
Are Java code signing certificates the same as SSL certificates?
How to fix ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1056)?
PKIX path building failed in Java application

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!