Configure cURL to use default system cert store on Windows

Question

I have a command line application that is using the libcurl-4 dll\'s, and currently I can get everything to work by placing my CA certs in my working directory

Answer 1

Since April 2018, for those of you who want to download a file using the Windows command line, you can use the Curl.exe executable. From Windows 10 build 17063 and later, Curl is included, so that you can execute it directly from Cmd.exe or PowerShell.exe.

curl.exe -V
curl 7.55.1 (Windows) libcurl/7.55.1 WinSSL
Release-Date: [unreleased]
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL 

Be careful using PowerShell the Cmdlet Invoke-WebRequest is aliased with name curl, so unalias this CmdLet (Remove-item alias:curl) or explicitly use curl.exe.

As far as I understand, curl.exe is built with Schannel (Microsoft's native TLS engine), then libcurl still perform peer certificate verification, but instead of using a CA cert bundle, it uses the certificates that are built into the OS.

curl.exe  "https://www.7-zip.org/a/7z1805-x64.exe"  --output c:\temp\7zip.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1404k  100 1404k    0     0  1404k      0  0:00:01 --:--:--  0:00:01 9002k

Answer 2

OpenSSL does not support using the "CA certificate store" that Windows has on its own. If you want your curl build to use that cert store, you need to rebuild curl to use the schannel backend instead (aka "winssl"), which is the Windows native version that also uses the Windows cert store by default.

If you decide to keep using OpenSSL, you simple must provide CA certs in either a PEM file or a specially crafted directory as Windows doesn't provide its system store using that format you either have to get a suitable store from somewhere or figure out how to convert the Windows cert store to PEM format.

Update

Starting with libcurl 7.71.0, due to ship on June 24, 2020, it will get the ability to use the Windows CA cert store when built to use OpenSSL. You then need to use the CURLOPT_SSL_OPTIONS option and set the correct bit in the bitmask: CURLSSLOPT_NATIVE_CA.