发表新帖
发表新帖

Difference between --cacert and --capath in curl?

前端 未结
关注
2 887
情深已故
情深已故 2021-02-02 07:28

When would one use the --cacert option vs. the --capath option within curl (CLI that is).

--cacert appears to refer

相关标签:
2条回答
  • Happy的楠姐
    2021-02-02 08:18

    From the docs:

    --cacert (HTTPS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. If this option is used several times, the last one will be used.

    --capath (HTTPS) Tells curl to use the specified certificate directory to verify the peer. The certificates must be in PEM format, and the directory must have been processed using the c_rehash utility supplied with openssl. Certificate directories are not supported under Windows (because c_rehash uses symbolink links to create them). Using --capath can allow curl to make https connections much more efficiently than using --cacert if the --cacert file contains many CA certificates. If this option is used several times, the last one will be used.

    So, if you specify --cacert, the CA certs are stored in the specified file. These CA certificates are used to verify the certs of remote servers that cURL connects to.

    The --capath option is used to specify a directory containing the CA certs rather than a single file. The c_rehash utility should be used to prepare the directory i.e., create the necessary links. The main benefit of using --capath would appear to be that it's more efficient than the --cacert single file approach if you have many CA certs.

    Here's a script that probably does what c_rehash does:

    for file in *.pem; do ln -s $file `openssl x509 -hash -noout -in $file`.0; done

    With both options you should be careful to only include CA certs from CAs you trust. If for example, you know the remote servers should always be issued with certs from YourCompanyCA, then this is the only CA cert you should include.

    0 讨论(0)
  • 不知归路
    2021-02-02 08:27

    On Windows you can run the following as a batch file and pass in the capath folder name:

    c_rehash.cmd:

    @echo off
setlocal enableextensions enabledelayedexpansion
if \%1\ EQU \\ goto :usage
pushd %1
if NOT ERRORLEVEL 0 goto :usage
del *.0
for %%I in (*.pem) do call :hash %%I
popd
goto :eof
:hash
for /F "usebackq" %%J in (`openssl x509 -in %1 -hash -noout`) do mklink %%J.0 %1
goto :eof
:usage
echo Usage:
echo.
echo Rehash a folder of x509 Certificates for Curl
echo.
echo %~n0 ^<Folder^>

    Example:

    c_rehash c:\cacerts
    0 讨论(0)
 看不清?
提交回复
热议问题