How do I keep my cacert.pem current for security reasons when using curl?
Since initially writing this article, (and thus this rewrite), I was able to resolve my own problem by including links directly to the only legitimate source to maintain this file which is provided on the site maintained by the author of curl at this location
Further as technology is advancing this question has been updated to show how to use curl in PHP and force TLS v1.2 connection (something which certain transaction providers require or recommend and may not supply the information on how to do this).
Regarding certificate authorities, there are a few key root authorities such as :
- Symantec
- RapidSSL
- thawte
- GeoTrust
- Comodo
As well as other authorities by their nature such as
- Microsoft
- Mozilla
Which can be a frame for anyone looking to maintain their own cacert.pem. Keep in mind that you would need to download their revocation lists (certificates that have been breached or expired) from the respective crl's to maintain a proper trust mechanism, while you should be able to get away with just downloading their root certificate chains and using those as a local authorative file as your cacert.pem.
cacert.pem is used by curl. There is no ultimate authority on which certificates are to be trusted, but the lists used by web browsers are a good source. These lists are constantly updated due to CA changes and changes to security practices.
The authors of curl maintain a tool which can extract a cacert.pem from Firefox, and post a reasonably up-to-date output on their site:
- cacert.pem generated by the authors of
curl - caextract: for the most security-conscious, download the tool, inspect the source code and run it against your own Firefox.