Custom CA Certificate Bundle for Curl

This article provides a quick overview and step-by-step guide on how to configure the curl command-line tool to use a custom Certificate Authority (CA) certificate bundle. You will learn how to specify a custom CA file temporarily for a single request using command-line flags, set it globally using environment variables, or configure it permanently in your system configuration files.

Method 1: Use the --cacert Command-Line Flag

The most direct way to specify a custom CA bundle for a single curl command is by using the --cacert option. This flag tells curl to verify the peer using the specific CA certificate file you provide.

Run the following command, replacing the path with the actual path to your .pem or .crt certificate bundle:

curl --cacert /path/to/your-ca-bundle.crt https://example.com

Method 2: Use the --capath Command-Line Flag

If your certificates are stored as individual files in a directory rather than merged into a single bundle, you can use the --capath option.

curl --capath /path/to/certificates/directory/ https://example.com

Note: The directory must be prepared using the c_rehash utility provided by OpenSSL so that curl can locate the certificates by their hash values.

Method 3: Set the CURL_CA_BUNDLE Environment Variable

To avoid typing the certificate path for every command, you can set an environment variable. curl automatically looks for the CURL_CA_BUNDLE variable to locate custom certificates.

On Linux/macOS:

Export the variable in your current terminal session:

export CURL_CA_BUNDLE="/path/to/your-ca-bundle.crt"
curl https://example.com

To make this change persistent, add the export command to your shell profile file (such as ~/.bashrc or ~/.zshrc).

On Windows (Command Prompt):

set CURL_CA_BUNDLE="C:\path\to\your-ca-bundle.crt"
curl https://example.com

On Windows (PowerShell):

$env:CURL_CA_BUNDLE="C:\path\to\your-ca-bundle.crt"
curl https://example.com

Method 4: Use a .curlrc Configuration File

For a permanent configuration that applies every time you run curl as your current user, you can add the setting to your personal curl configuration file.

  1. Open or create the .curlrc file in your home directory (use _curlrc on Windows).
  2. Add the following line to the file:
cacert = "/path/to/your-ca-bundle.crt"

Save the file. From now on, curl will default to using this CA bundle for all secure connections.