Add self signed certificate to ubuntu for use with curl

Question

I'm developing a program where I have a virtual development server that runs with a self signed certificate. My program uses curl to connect to the server and pull information, but needs to do so with SSL. When I try to connect I get the error "SSL certificate problem, verify that the CA cert is OK." When running firefox I can add the certificate to just firefox, but that doesn't help me with curl. How do I add the certificate for curl to recognize?

curl 7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 Protocols: tftp ftp telnet dict ldap ldaps http file https ftps Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Ubuntu 10.04 Lucid Lynx 64bit

[cURL: Adding/Installing/Trusting New Self-Signed Certificate](http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/) — Elnur Abdurrakhimov, Oct 25 '12 at 07:04
Also see [Use self signed certificate with cURL?](https://stackoverflow.com/q/27611193/608639) It is a good, canonical answer. Daniel Stenberg, the author of cURL, answered the question. — jww, Mar 03 '18 at 17:38

score 17 · Answer 1 · answered Jul 06 '11 at 19:59

17

This is one way that worked for me:

First, get the CA cert from the development domain and save it to a file called 'logfile'. (Assumes port 443 for SSL)

openssl s_client -connect xxxxx.com:443 |tee logfile

Then, use the --cacert curl option to use the saved certificate file.

curl --cacert logfile **THE REST OF YOUR CURL COMMAND**

Source: http://curl.haxx.se/docs/sslcerts.html

answered Jul 06 '11 at 19:59

Curt

1,394
9
16

This doesn't work for me. Mind trying on a current version of curl? Also, knowing what commands you used to generate the key may be useful. – coolaj86 Jul 15 '14 at 00:23
Worked for me using curl version curl 7.81.0 (Release-Date: 2022-01-05) – bczoma Mar 02 '22 at 16:01

score 15 · Answer 2 · edited Aug 31 '15 at 20:43

15

I'd copy the certificate to /usr/local/share/ca-certificates/.

Let me quote the man page for update-ca-certificates:

Furthermore all certificates with a .crt extension found below /usr/local/share/ca-certificates are also included as implicitly trusted.

edited Aug 31 '15 at 20:43

StephenKing

33,887
10
78
112

answered Aug 31 '15 at 20:38

user5286165

151
1
2

score 9 · Answer 3 · edited Jul 11 '19 at 11:49

9

Add your rootCA.pem in /usr/share/ca-certificates directory.

After that update your certificates with: update-ca-certificates --fresh command.

I just did that, and works fine.

edited Jul 11 '19 at 11:49

Ondra Žižka

40,240
36
196
259

answered Nov 11 '13 at 17:31

Bruno Soares

736
5
6

5

This would also require appending cert part to `/etc/ca-certificates.conf`, but you shouldn't do that, because it's autogenerated. Add the root PEM file to `/usr/local/share/ca-certificates` instead. – gronostaj Sep 28 '18 at 10:24

Add self signed certificate to ubuntu for use with curl

3 Answers3