curl / Docs / Protocols / CA Extract

CA certificates extracted from Mozilla

Related:
SSL Certs

The Mozilla CA certificate store in PEM format (around 200KB uncompressed):

cacert.pem

This bundle was generated at Mon Mar 11 15:25:27 2024 GMT .

This PEM file contains the datestamp of the conversion and we only make a new conversion if there's a change in either the script or the source file. This service checks for updates every day. Here's the sha256sum of the current PEM file.

File name

Some programs will expect this file to be named ca-bundle.crt (in the correct path). curl on windows has a system to find it if named curl-ca-bundle.crt.

CA file revisions per date of appearance

Missing Name Constraints

The converted PEM file only contains the digital signatures for CAs. Several of those CAs have constraints in Firefox (and other browsers) to only be allowed for certain domains and other similar additional conditions. Those constraints are thus not brought along in this cacert file!

CA certificate store license

The PEM file is only a converted version of the original one and thus it is licensed under the same license as the Mozilla source file: MPL 2.0

Automated downloads from here

We don't mind you downloading the PEM file from us in an automated fashion.

A suitable curl command line to only download it when it has changed:

  curl --etag-compare etag.txt --etag-save etag.txt --remote-name https://curl.se/ca/cacert.pem
Or if you use an ancient curl version that doesn't support etags:
  curl --remote-name --time-cond cacert.pem https://curl.se/ca/cacert.pem

The conversion script mk-ca-bundle

The mk-ca-bundle tool converts Mozilla's certificate store to PEM format, suitable for (lib)curl and others.

Convert from your local Firefox installation

You can also extract the ca certs off your Firefox installation, if you just have the 'certutil' tool installed and run the firefox-db2pem.sh script!