#include "_doctype.html" cURL - Extract CA Certs from Mozilla #include "css.t" #define CURL_DOCS #define PROT_DOCS #define DOCS_CAEXTRACT #define CURL_URL docs/caextract.html #include "_menu.html" #include "setup.t" WHERE3(Docs, "/docs/", Protocol docs, "/docs/protdocs.html", CA Extract) TITLE(Automatically converted CA Certs from mozilla.org)
Related:
SSL Certs

We provide automated conversions. The output CA bundle file in PEM format (250KB) is available from here:

The PEM file contains the datestamp of the conversion and we try to only convert if there's a change in either the script or the source file. #if 0 SUBTITLE(Changelog)

August 4th, 2013 -
The cacert.pem output now only contains certificates that are explicity marked as trusted. The script was updated in commit 51f0b798fa as a response to the 1.84 revision update of certdata.txt from June 2012. The certdata.txt format documentation?

January 6th, 2013 -
These ca cert bundles no longer contain the DigiNotar certificates as Mozilla marks them as untrusted and this script knows the markup for that, but it may contain related certificates that Mozilla (and others) would block using other means. (Like some certs that were cross-signed by Entrust etc). See details in bug #1178. #endif SUBTITLE(RSA-1024 removed)

Around early September 2014, Mozilla removed the trust bits from the certs in their CA bundle that were still using RSA 1024 bit keys. This may lead to TLS libraries having a hard time to verify some sites if the library in question doesn't properly support "path discovery" as per RFC 4158. (That includes OpenSSL and GnuTLS.)

The last CA bundle we converted from before that cleanup: an older ca-bundle from github. SUBTITLE(CA cert bundle license)

This new file is only a converted version of the original one and thus it is licensed under the same licenses as the Mozilla source file: MPL 1.1, GPL v2.0 or LGPL 2.1 SUBTITLE(The conversion script mk-ca-bundle)

The mk-ca-bundle tool converts Mozilla's cert bundle to PEM format, suitable for (lib)curl and others. Writtten by Guenter Knauf. SUBTITLE(Convert from your local Firefox installation)

You can also extract the ca certs off your Firefox installation, if you just have the 'certutil' tool installed and run the firefox-db2pem.sh script! #include "_footer.html"