cURL / Mailing Lists / curl-library / Single Mail


Re: NSS, CURLOPT_CAINFO, and using the NSS CAs

From: David Shaw <>
Date: Mon, 28 Jul 2014 11:56:46 -0400

On Jul 28, 2014, at 10:24 AM, Kamil Dudka <> wrote:

> On Thursday, July 24, 2014 17:18:25 David Shaw wrote:
>> Hello,
>> A good while back I had some code that needed to use the NSS CAs only (and
>> not the PEM ca-bundle file). I did this by symlinking into
>> my nssdb (so NSS would have the CA certs),
> I am not sure how this is supposed to work. Is it documented anywhere?

It's mentioned here:

Certainly a "certutil -d /etc/pki/nssdb -L -h all" does show all the CAs with the symlink in place, and shows nothing without the symlink in place.

I also tried "modutil -dbdir /etc/pki/nssdb -add ca_certs -libfile /usr/lib64/", which had the same result (certutil shows all the CAs, and removing that module makes certutil show nothing), but it similarly didn't work when done through curl.

Is there an alternate way to give NSS a set of CAs without importing each one specifically?


List admin:
Received on 2014-07-28