Can you use custom SSL certificates with wget?

Using the wget command-line utility, you can specify a custom SSL/TLS certificate, a private key, and even a custom Certificate Authority (CA) bundle to securely authenticate and establish HTTPS connections. This is particularly useful when interacting with servers that require client-side certificate authentication (mutual TLS) or when working within environments that use self-signed certificates. By leveraging specific command-line flags, wget allows you to bypass default system certificate stores and point directly to your local cryptographic assets.

Specifying Client Certificates and Private Keys

When a server requires the client to prove its identity via SSL/TLS certificates, wget provides direct flags to pass these files. The two most critical parameters for this setup are --certificate and --private-key.

• --certificate=file: Points wget to the file containing your client certificate. This is typically a .crt or .pem file.
• --private-key=file: Specifies the matching private key config file for your certificate, usually a .key or .pem file.
• --private-key-type=type: If your key is not in the standard PEM format, you can specify its type (such as DER) using this flag.

An example of a command utilizing both a custom client certificate and a private key looks like this:

wget --certificate=/path/to/client.crt --private-key=/path/to/private.key https://example.com/secure-data

Trusting a Custom Certificate Authority (CA)

In scenarios where the remote server is using a self-signed certificate or an identity issued by an internal corporate CA, wget will throw an untrusted root error by default. Instead of insecurely disabling certificate verification entirely, you can instruct wget to trust your custom CA.

• --ca-certificate=file: Allows you to specify a file containing the bundle of local CA certificates that wget should use to verify the remote server.
• --ca-directory=directory: Alternatively, if you have a directory prepared with multiple CA certificates prepared using the csh_hash utility, you can point wget to the entire folder.

To download a file from a server with a custom CA certificate, use the following syntax:

wget --ca-certificate=/path/to/custom-ca.pem https://internal-secure-server.local/file.zip

Alternative Certificate Formats

If your certificate and private key are combined into a single PKCS#12 file (often carrying a .pfx or .p12 extension), wget cannot read it directly through the standard flags. In these instances, the most efficient approach is to use openssl to convert the file into separate PEM-formatted certificate and key components before passing them to the wget command.