Adding self-signed SSL certificate for libcurl

Question

I am using libcurl in my C application to communicate with an HTTPS server that I have set up. I generated a self-signed certificate on that server that I wish to use with curl.

Answer 1

To add a self-signed certificate, use CURLOPT_CAINFO

To retrieve the SSL public certificate of a site, use

openssl s_client -connect www.site.com:443 | tee logfile

The certificate is the portion marked by ----BEGIN CERTIFICATE---- and
---END CERTIFICATE----.

Save that certificate into a file, and use curl in a manner like so:

CURL* c = curl_easy_init();
curl_easy_setopt(c, CURLOPT_URL, "https://www.site.com");
curl_easy_setopt(c, CURLOPT_CAINFO, "/path/to/the/certificate.crt");
curl_easy_setopt(c, CURLOPT_SSL_VERIFYPEER, 1);
curl_easy_perform(c);
curl_easy_cleanup(c);

Answer 2

First, you kind of mix "Certificate Authority" files and "Certificate" files which confuses me.

How can I add my own CA/Self-signed certificate so that libcurl will successfully validate it?

This might be seen as a complementary answer to the one above. In the case you want to add a self-signed CA (every root-CA is self-signed) so that libcurl will successfully validate a website's certificate, which has been generated by the CA, then continue reading.

With CURLOPT_CAINFO you need to pass the "Certificate Authority" file (CA) that was used when generating the (non-CA) certificate of the site you want to verify.

(I do not know if this option works by passing it a non-CA certificate, the documentation is not really clear on this, and the previous answer has 2 up-votes, so if anyone has tested it please comment)

You can also pass a Certificate Authority chain file that contains the CA that was used, in case it was not a root-CA.

Here's a little tutorial I've found that can help you test your solution:

Creating a private root CA: http://www.flatmtn.com/article/setting-openssl-create-certificates

Creating a site certificate: http://www.flatmtn.com/article/setting-ssl-certificates-apache