1--- 2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3SPDX-License-Identifier: curl 4Short: E 5Long: cert 6Arg: <certificate[:password]> 7Help: Client certificate file and password 8Protocols: TLS 9Category: tls 10Added: 5.0 11Multi: single 12See-also: 13 - cert-type 14 - key 15 - key-type 16Example: 17 - --cert certfile --key keyfile $URL 18--- 19 20# `--cert` 21 22Use the specified client certificate file when getting a file with HTTPS, FTPS 23or another SSL-based protocol. The certificate must be in PKCS#12 format if 24using Secure Transport, or PEM format if using any other engine. If the 25optional password is not specified, it is queried for on the terminal. Note 26that this option assumes a certificate file that is the private key and the 27client certificate concatenated. See --cert and --key to specify them 28independently. 29 30In the \<certificate\> portion of the argument, you must escape the character 31`:` as `\:` so that it is not recognized as the password delimiter. Similarly, 32you must escape the double quote character as \" so that it is not recognized 33as an escape character. 34 35If curl is built against OpenSSL library, and the engine pkcs11 is available, 36then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in 37a PKCS#11 device. A string beginning with `pkcs11:` is interpreted as a 38PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option is set as 39`pkcs11` if none was provided and the --cert-type option is set as `ENG` if 40none was provided. 41 42If curl is built against GnuTLS library, a PKCS#11 URI can be used to specify 43a certificate located in a PKCS#11 device. A string beginning with `pkcs11:` 44is interpreted as a PKCS#11 URI. 45 46(iOS and macOS only) If curl is built against Secure Transport, then the 47certificate string can either be the name of a certificate/private key in the 48system or user keychain, or the path to a PKCS#12-encoded certificate and 49private key. If you want to use a file from the current directory, please 50precede it with `./` prefix, in order to avoid confusion with a nickname. 51 52(Schannel only) Client certificates must be specified by a path expression to 53a certificate store. (Loading *PFX* is not supported; you can import it to a 54store first). You can use "\<store location\>\\<store name\>\\<thumbprint\>" 55to refer to a certificate in the system certificates store, for example, 56*"CurrentUser\MY\934a7ac6f8a5d579285a74fa61e19f23ddfe8d7a"*. Thumbprint is 57usually a SHA-1 hex string which you can see in certificate details. Following 58store locations are supported: *CurrentUser*, *LocalMachine*, 59*CurrentService*, *Services*, *CurrentUserGroupPolicy*, 60*LocalMachineGroupPolicy* and *LocalMachineEnterprise*. 61
