cURL Docs CA Extract
Automatically converted CA Certs from mozilla.org
We provide automated conversions. The output CA bundle file in PEM format is
available from here:
The PEM file contains the datestamp of the conversion and we try to only
convert if there's a change in either the script or the source file.
August 4th, 2013 -
The cacert.pem output now only contains certificates that are explicity
marked as trusted. The script was updated in
as a response to the
revision update of certdata.txt from June
2012. The certdata.txt format documentation?
January 6th, 2013 -
These ca cert bundles no longer contain
certificates as Mozilla marks them as untrusted and this script knows the
markup for that, but it may contain related certificates that Mozilla
(and others) would block using other means. (Like some certs that were
cross-signed by Entrust etc). See details
in bug #1178.
The mk-ca-bundle.pl script
The mk-ca-bundle tool converts Mozilla's CA
cert bundle to PEM format, suitable for (lib)curl and others. Writtten by
It is a perl script. The script uses the 'openssl' tool and it requires the
version that comes with the 0.9.7 series or later.
The exact Mozilla file needed for this job is found within that script.
CA bundle license
This new file is only a converted version of the original one and thus it is
licensed under the same licenses as the Mozilla source file: MPL 1.1, GPL
v2.0 or LGPL 2.1
Convert from your local Firefox installation
You can also extract the ca certs off your Firefox installation, if you
just have the 'certutil' tool installed and run the firefox-db2pem.sh script!
What - no HTTPS?
Yes, pointing out that this contents is not hosted on a HTTPS site is a
popular thing to do but really it doesn't help anyone, nor does it bring
- If you don't trust the data or want to be more certain: run the script yourself
- Offering the data over HTTPS would give you a chicken-and-egg problem as which CAs would you trust when you download the bundle?
- You're free to run your own caextract service on a HTTPS site to redeem
this. The scripts and everything we use to offer data on this page are
available in the curl source code tree.