Geek Answers Handbook

Configure cURL to use the default system certificate store

I have a command line application that uses the libcurl-4 dll, and currently I can get everything working by putting my CA certificates in my working directory and passing their names to CUTLOPT_CAINFO and CURLOPT_SSLCERT using ./ with their names.

But I am working to ensure that cURL does not use what is in the current directory, and instead use certificates that are stored in my system computer store.

From reading the cURL documentation, I understand that if you configure it without specifying the default ca-bundle or ca-path , then ti will "automatically detect the configuration".

And that CURLOPT_CAINFO by default set to "embedded system"

So can someone help me understand:

  • If nothing is specified during setup with curl, is this the default path that it detects in system storage? Or does curl use its own path for system storage?

  • what value do you give curl_easy_setopt(m_curlHandle, CURLOPT_CAINFO, *<value> ) to make CURLOPT_CAINFO go use the default value?

Any help is appreciated as I am still learning how it all works.

Thanks.

+4
curl ssl openssl pem
source share
1 answer

OpenSSL does not support the use of the "CA certificate store", which Windows itself has. If you want your curl assembly to use this certificate store, you need to rebuild curl to use the schannel backend (aka "winssl"), which is the native version of Windows, which also uses the Windows certificate store by default.

If you decide to continue using OpenSSL, you just have to provide CA certificates either in a PEM file or in a specially created directory, since Windows does not provide its system storage using this format, you either need to find a suitable storage somewhere, or find out how to convert a Windows certificate store to PEM format.

+4
source share

More articles:


All Articles