Difference between --cacert and --capath in curl?

2019-03-17 13:25发布

站内问答 / 移动开发
1639 2 6

When would one use the --cacert option vs. the --capath option within curl (CLI that is).

--cacert appears to reference a monolithic file that contains multiple PEMs. Assume it scans through to find the matching hostname?

--capath appears to reference a directory in which multiple files live. Does curl pick up the appropriate certificate as a filename therein?

2条回答
相关推荐>>
2楼-- · 2019-03-17 14:01

On Windows you can run the following as a batch file and pass in the capath folder name:

c_rehash.cmd:

@echo off
setlocal enableextensions enabledelayedexpansion
if \%1\ EQU \\ goto :usage
pushd %1
if NOT ERRORLEVEL 0 goto :usage
del *.0
for %%I in (*.pem) do call :hash %%I
popd
goto :eof
:hash
for /F "usebackq" %%J in (`openssl x509 -in %1 -hash -noout`) do mklink %%J.0 %1
goto :eof
:usage
echo Usage:
echo.
echo Rehash a folder of x509 Certificates for Curl
echo.
echo %~n0 ^<Folder^>

Example:

c_rehash c:\cacerts
查看更多
0人赞 添加讨论(0) 举报
可以哭但决不认输i
3楼-- · 2019-03-17 14:11

From the docs:

--cacert (HTTPS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. If this option is used several times, the last one will be used.

--capath (HTTPS) Tells curl to use the specified certificate directory to verify the peer. The certificates must be in PEM format, and the directory must have been processed using the c_rehash utility supplied with openssl. Certificate directories are not supported under Windows (because c_rehash uses symbolink links to create them). Using --capath can allow curl to make https connections much more efficiently than using --cacert if the --cacert file contains many CA certificates. If this option is used several times, the last one will be used.

So, if you specify --cacert, the CA certs are stored in the specified file. These CA certificates are used to verify the certs of remote servers that cURL connects to.

The --capath option is used to specify a directory containing the CA certs rather than a single file. The c_rehash utility should be used to prepare the directory i.e., create the necessary links. The main benefit of using --capath would appear to be that it's more efficient than the --cacert single file approach if you have many CA certs.

Here's a script that probably does what c_rehash does:

for file in *.pem; do ln -s $file `openssl x509 -hash -noout -in $file`.0; done

With both options you should be careful to only include CA certs from CAs you trust. If for example, you know the remote servers should always be issued with certs from YourCompanyCA, then this is the only CA cert you should include.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)