generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Frankie V's description on how to get a CA cert for a random site using

Browse Source 
IE
This commit is contained in:
Daniel Stenberg 2004-08-25 08:09:48 +00:00
parent 49746d1dce
commit c10196afc0
1 changed files with 20 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
docs/SSLCERTS
View File

@ -32,7 +32,25 @@ server, do one of the following:
configure with the --with-ca-bundle option pointing out the path of your configure with the --with-ca-bundle option pointing out the path of your
choice. choice.
If you're using the curl command line tool, you can specify your own CA To do this, you need to get the CA cert for your server in PEM format and
then append that to your CA cert bundle.
If you use Internet Explorer, this is one way to get extract the CA cert
for a particular server:
o View the certificate by double-clicking the padlock
o Find out where the CA certificate is kept (Certificate>
Authority Information Access>URL)
o Get a copy of the crt file using curl
o Convert it from crt to PEM using the openssl tool:
openssl x509 -inform DES -in yourdownloaded.crt \
-out outcert.pem -text
o Append the 'outcert.pem' to the CA cert bundle or use it stand-alone
as described below.
(Thanks to Frankie V for this description)
4. If you're using the curl command line tool, you can specify your own CA
cert path by setting the environment variable CURL_CA_BUNDLE to the path cert path by setting the environment variable CURL_CA_BUNDLE to the path
of your choice. of your choice.
@ -45,7 +63,7 @@ server, do one of the following:
4. Windows Directory (e.g. C:\windows) 4. Windows Directory (e.g. C:\windows)
5. all directories along %PATH% 5. all directories along %PATH%
4. Get a better/different/newer CA cert bundle! One option is to extract the 5. Get a better/different/newer CA cert bundle! One option is to extract the
one a recent Mozilla browser uses, by following the instruction found one a recent Mozilla browser uses, by following the instruction found
here: here:
@ -56,9 +74,3 @@ certificate that isn't signed by one of the certificates in the installed CA
cert bundle, will cause SSL to report an error ("certificate verify failed") cert bundle, will cause SSL to report an error ("certificate verify failed")
during the handshake and SSL will then refuse further communication with that during the handshake and SSL will then refuse further communication with that
server. server.
This procedure has been deemed The Right Thing even though it adds this extra
trouble for some users, since it adds security to a majority of the SSL
connections that previously weren't really secure. It turned out many people
were using previous versions of curl/libcurl without realizing the need for
the CA cert options to get truly secure SSL connections.