When working with SSL/TLS certificates in Linux environments, the default Certificate Authority (CA) bundle serves as the trust store for verifying server certificates. The location varies across distributions and applications like cURL.
For cURL specifically, you can identify the bundle path using:
curl-config --caCommon default locations across Linux distributions include:
- Debian/Ubuntu: /etc/ssl/certs/ca-certificates.crt
- RedHat/CentOS: /etc/pki/tls/certs/ca-bundle.crt
- OpenSUSE: /etc/ssl/ca-bundle.pem
- macOS (Homebrew): /usr/local/etc/openssl/cert.pem
To append your custom PEM file (e.g., custom_ca.pem) to the bundle:
# First verify the bundle is writable
sudo test -w /etc/ssl/certs/ca-certificates.crt || echo "Need root privileges"
# Append your certificate
sudo cat custom_ca.pem >> /etc/ssl/certs/ca-certificates.crt
# Update certificate stores (Debian/Ubuntu)
sudo update-ca-certificatesBe aware that some applications maintain their own trust stores:
# Java keytool
keytool -importcert -alias my_ca -file custom_ca.pem -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts
# Python requests
import certifi
print(certifi.where())Confirm your certificate was added successfully:
# Check if certificate exists in bundle
openssl x509 -in custom_ca.pem -noout -subject
grep "BEGIN CERTIFICATE" /etc/ssl/certs/ca-certificates.crt | wc -l
# Test with cURL
curl --cacert /etc/ssl/certs/ca-certificates.crt https://yourserver.comInstead of modifying system bundles, consider these methods:
# Environment variable override
export CURL_CA_BUNDLE=/path/to/custom_bundle.crt
# Per-command specification
curl --cacert custom_bundle.crt https://yourserver.com
# Symbolic link approach (when possible)
sudo ln -s /path/to/custom_bundle.crt /etc/ssl/certs/my_custom_bundle.crtThe default CA cert bundle location varies across operating systems and distributions. Here are the most common locations:
# Linux (Debian/Ubuntu)
/etc/ssl/certs/ca-certificates.crt
# Linux (RedHat/CentOS)
/etc/pki/tls/certs/ca-bundle.crt
# macOS (Homebrew openssl)
/usr/local/etc/openssl/cert.pem
# Windows (cURL built with openssl)
C:\Program Files\cURL\bin\curl-ca-bundle.crt
For a more reliable approach, you can use these methods to discover the path:
# Using OpenSSL
openssl version -d | grep OPENSSLDIR
# Using cURL (shows effective path)
curl-config --ca
To append your custom PEM file to the existing bundle:
# Backup original bundle
sudo cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak
# Append new certificate
sudo sh -c "cat /path/to/your/cert.pem >> /etc/ssl/certs/ca-certificates.crt"
# Verify the update (should show your cert)
openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -text -noout | less
For systems where modifying the global bundle isn't ideal:
# Environment variable override
export CURL_CA_BUNDLE=/path/to/your/custom-bundle.crt
# cURL specific option
curl --cacert /path/to/your/custom-bundle.crt https://example.com
# Python requests library
import requests
requests.get('https://example.com', verify='/path/to/your/custom-bundle.crt')
When working with certificate bundles:
- Always maintain proper file permissions (typically 644)
- Keep backups before modifying system files
- Consider using update-ca-certificates (on Debian/Ubuntu) instead of manual modification
- For containerized environments, mount your custom bundle rather than modifying the base image