Version française

Using Additional CA Certificates with curl and wget

Here's some information to use additional CA certificates with the curl and wget commands.

  1. Download/copy the certificates into a directory, e.g. ~/etc/certs.

  2. Generate the hash values with the c_rehash command and the directory as argument. For instance: c_rehash ~/etc/certs. With the official c_rehash utility from openssl, all the certificates must have the .pem extension; to support the .crt extension as well, which is commonly used, one must either use Debian's c_rehash script or replace /\.pem$/ by /\.(crt|pem)$/ in the script.

  3. Add the certificate directory to the configuration files of curl and wget. For instance, in the ~/.curlrc file:

    capath = "/home/user/etc/certs:/etc/ssl/certs"

    (note that the ~ and $HOME forms are not supported) if /etc/ssl/certs is the default directory (containing the certificates installed on the system); this is valid at least for curl 7.21 to 7.35. And in the ~/.wgetrc file (at least for wget 1.13 to 1.15):

    ca_directory = ~/etc/certs

    but it does not seem possible to use the default certificates (unless they are added in this directory); see Debian bug 646413.

Note: With MacPorts under Mac OS X, in order to have the certificates installed on the system with curl, one must install the curl port with the ssl variant, not the gnutls one.