#include "_doctype.html" cURL - Extract CA Certs from Mozilla #include "css.t" #define CURL_DOCS #define PROT_DOCS #define DOCS_CAEXTRACT #define CURL_URL docs/caextract.html #include "_menu.html" #include "setup.t" WHERE3(Docs, "/docs/", Protocol docs, "/docs/protdocs.html", CA Extract) TITLE(CA certificates extracted from Mozilla)
Related:
SSL Certs

The Mozilla CA certificate store in PEM format (around 250KB uncompressed) is available from here over HTTPS:

cacert.pem

This PEM file contains the datestamp of the conversion and we only make a new conversion if there's a change in either the script or the source file. SUBTITLE(Recent CA file revisions per date of apperance)

SUBTITLE(Missing Name Constraints)

The converted PEM file only contains the digital signatures for CAs. Several of those CAs have constraints in Firefox (and other browsers) to only be allowed for certain domains and other similar additional conditions. Those constraints are thus not brought along in this cacert file! SUBTITLE(CA certificate store license)

The PEM file is only a converted version of the original one and thus it is licensed under the same license as the Mozilla source file: MPL 2.0 SUBTITLE(Automated downloads from here)

We don't mind you downloading the PEM file from us in an automated fashion, but please don't do it more often than once per day. It is only updated once every few months anyway.

A suitable curl command line to only download it when it has changed:

  curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem
SUBTITLE(The conversion script mk-ca-bundle)

The mk-ca-bundle tool converts Mozilla's certificate store to PEM format, suitable for (lib)curl and others. SUBTITLE(Convert from your local Firefox installation)

You can also extract the ca certs off your Firefox installation, if you just have the 'certutil' tool installed and run the firefox-db2pem.sh script! #include "_footer.html"