1--- 2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3SPDX-License-Identifier: curl 4Long: cacert 5Arg: <file> 6Help: CA certificate to verify peer against 7Protocols: TLS 8Category: tls 9Added: 7.5 10Multi: single 11See-also: 12 - capath 13 - dump-ca-embed 14 - insecure 15Example: 16 - --cacert CA-file.txt $URL 17--- 18 19# `--cacert` 20 21Use the specified certificate file to verify the peer. The file may contain 22multiple CA certificates. The certificate(s) must be in PEM format. Normally 23curl is built to use a default file for this, so this option is typically used 24to alter that default file. 25 26curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is set 27and the TLS backend is not Schannel, and uses the given path as a path to a CA 28cert bundle. This option overrides that variable. 29 30(Windows) curl automatically looks for a CA certs file named 31'curl-ca-bundle.crt', either in the same directory as curl.exe, or in the 32Current Working Directory, or in any folder along your PATH. 33 34curl 8.11.0 added a build-time option to disable this search behavior, and 35another option to restrict search to the application's directory. 36 37(iOS and macOS only) If curl is built against Secure Transport, then this 38option is supported for backward compatibility with other SSL engines, but it 39should not be set. If the option is not set, then curl uses the certificates 40in the system and user Keychain to verify the peer, which is the preferred 41method of verifying the peer's certificate chain. 42 43(Schannel only) This option is supported for Schannel in Windows 7 or later 44(added in 7.60.0). This option is supported for backward compatibility with 45other SSL engines; instead it is recommended to use Windows' store of root 46certificates (the default for Schannel). 47
