[go: up one dir, main page]
Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / Protocols / CA Extract

CA certificates extracted from Mozilla

Related:
SSL Certs

The Mozilla CA certificate store in PEM format (around 200KB uncompressed):

cacert.pem

This bundle was generated at Tue Sep 24 03:12:04 2024 GMT .

This PEM file contains the datestamp of the conversion and we only make a new conversion if there is a change in either the script or the source file. This service checks for updates every day. Here's the sha256sum of the current PEM file.

filename

Some programs will expect this file to be named ca-bundle.crt (in the correct path). curl on windows has a system to find it if named curl-ca-bundle.crt.

CA file revisions per date of appearance

Missing Name Constraints

The converted PEM file only contains the digital signatures for CAs. Several of those CAs have constraints in Firefox (and other browsers) to only be allowed for certain domains and other similar additional conditions. Those constraints are thus not brought along in this cacert file!

CA certificate store license

The PEM file is only a converted version of the original one and thus it is licensed under the same license as the Mozilla source file: MPL 2.0

Automated downloads from here

We do not mind you downloading the PEM file from us in an automated fashion.

A suitable curl command line to only download it when it has changed: 

  curl --etag-compare etag.txt --etag-save etag.txt --remote-name https://curl.se/ca/cacert.pem
Or if you use an ancient curl version that does not support etags: 
  curl --remote-name --time-cond cacert.pem https://curl.se/ca/cacert.pem

The conversion script mk-ca-bundle

The mk-ca-bundle tool converts Mozilla's certificate store to PEM format, suitable for (lib)curl and others.

Convert from your local Firefox installation

You can also extract the ca certs off your Firefox installation, if you just have the 'certutil' tool installed and run the firefox-db2pem.sh script!