Configure cURL to use default system cert store on Windows

Cody Pritchard picture Cody Pritchard · May 31, 2016 · Viewed 9.4k times · Source

I have a command line application that is using the libcurl-4 dll's, and currently I can get everything to work by placing my CA certs in my working directory and passing their names to the CUTLOPT_CAINFO and CURLOPT_SSLCERT with ./ prefix to their names.

But, what I am working on is getting cURL to not use what is in the current directory and instead use the certs that are stored in my computers system store.

From reading cURL's documentation I understand that if you configure it without giving a specified default ca-bundle or ca-path that ti will "auto-detect a setting".

And that the CURLOPT_CAINFO is by default set to "built-in system specific"

So can anyone help me understand:

  1. if nothing is specified at configure time with curl, is the default path it detects the system store? Or does curl use its own path for a system store?

  2. what value do you give curl_easy_setopt(m_curlHandle, CURLOPT_CAINFO, *<value> ) to make CURLOPT_CAINFO go use its default value?

Any help is appreciated as i am still learning how this all works.

Thank you.

Answer

Daniel Stenberg picture Daniel Stenberg · May 31, 2016

OpenSSL does not support using the "CA certificate store" that Windows has on its own. If you want your curl build to use that cert store, you need to rebuild curl to use the schannel backend instead (aka "winssl"), which is the Windows native version that also uses the Windows cert store by default.

If you decide to keep using OpenSSL, you simple must provide CA certs in either a PEM file or a specially crafted directory as Windows doesn't provide its system store using that format you either have to get a suitable store from somewhere or figure out how to convert the Windows cert store to PEM format.

Update

Starting with libcurl 7.71.0, due to ship on June 24, 2020, it will get the ability to use the Windows CA cert store when built to use OpenSSL. You then need to use the CURLOPT_SSL_OPTIONS option and set the correct bit in the bitmask: CURLSSLOPT_NATIVE_CA.