The cacert.pem file from curl.haxx.se is a Certificate Authority (CA) bundle containing root certificates from major certificate authorities. This file serves as:
- A collection of trusted root certificates for verifying server identities
- Not a server certificate for your domains
- Primarily used by client applications to validate server certificates
For local development with multiple domains/subdomains, you need:
1. A valid certificate for each domain (can be self-signed)
2. Proper certificate chain configuration
3. Browser trust for your certificatesHere's how to generate a wildcard certificate using OpenSSL:
# Generate private key
openssl genrsa -out localhost.key 2048
# Create CSR config file (localhost.cnf)
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = California
L = San Francisco
O = Development
CN = *.localhost
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.localhost
DNS.2 = localhost
# Generate CSR
openssl req -new -key localhost.key -out localhost.csr -config localhost.cnf
# Generate self-signed certificate
openssl x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt -extfile localhost.cnf -extensions v3_reqAdd this to your Apache configuration:
<VirtualHost *:443>
ServerName localhost
ServerAlias *.localhost
SSLEngine on
SSLCertificateFile "/path/to/localhost.crt"
SSLCertificateKeyFile "/path/to/localhost.key"
# Optional: Include intermediate certificates if needed
# SSLCertificateChainFile "/path/to/intermediate.crt"
</VirtualHost>- Open Keychain Access
- Drag your
localhost.crtfile into the System keychain - Double-click the certificate
- Under Trust section, set "When using this certificate" to "Always Trust"
For easier local certificate management:
# Install mkcert
brew install mkcert
# Setup local CA
mkcert -install
# Generate wildcard certificate
mkcert "*.localhost"- Don't use the curl CA bundle as your server certificate
- For production, obtain certificates from Let's Encrypt or commercial CAs
- Self-signed certificates are only suitable for development
- Clear browser cache if certificate warnings persist
The cacert.pem file from curl.haxx.se is a bundle of Certificate Authority (CA) root certificates. It contains trusted root certificates from major CAs worldwide, used to verify the authenticity of SSL/TLS certificates presented by servers during HTTPS connections.
# Typical usage in PHP for verifying peer certificates $ch = curl_init(); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem');
For local development, you have several options:
- Self-signed certificates: Create your own CA and issue certificates
- Local CA certificates: Tools like mkcert generate locally-trusted certs
- Wildcard certificates: For multiple subdomains
Here's how to create a wildcard certificate for *.localhost development:
# Generate root CA (one-time) openssl genrsa -out rootCA.key 2048 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem # Create wildcard certificate openssl genrsa -out wildcard.localhost.key 2048 openssl req -new -key wildcard.localhost.key -out wildcard.localhost.csr openssl x509 -req -in wildcard.localhost.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out wildcard.localhost.crt -days 500 -sha256
Add this to your Apache configuration:
<VirtualHost *:443>
ServerName test.localhost
ServerAlias *.localhost
SSLEngine on
SSLCertificateFile "/path/to/wildcard.localhost.crt"
SSLCertificateKeyFile "/path/to/wildcard.localhost.key"
# Optional: Include intermediate certificates
SSLCertificateChainFile "/path/to/rootCA.pem"
</VirtualHost>
To make browsers trust your local certificate:
# Import root CA into Mac OS keychain sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem
For simpler setup, consider using mkcert:
# Install mkcert brew install mkcert # Create and install local CA mkcert -install # Generate wildcard certificate mkcert "*.localhost"