xref: /curl/docs/cmdline-opts/cert.md (revision e7219c2b) 
1---
2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
3SPDX-License-Identifier: curl
4Short: E
5Long: cert
6Arg: <certificate[:password]>
7Help: Client certificate file and password
8Protocols: TLS
9Category: tls
10Added: 5.0
11Multi: single
12See-also:
13  - cert-type
14  - key
15  - key-type
16Example:
17  - --cert certfile --key keyfile $URL
18---
19
20# `--cert`
21
22Use the specified client certificate file when getting a file with HTTPS, FTPS
23or another SSL-based protocol. The certificate must be in PKCS#12 format if
24using Secure Transport, or PEM format if using any other engine. If the
25optional password is not specified, it is queried for on the terminal. Note
26that this option assumes a certificate file that is the private key and the
27client certificate concatenated. See --cert and --key to specify them
28independently.
29
30In the \<certificate\> portion of the argument, you must escape the character
31`:` as `\:` so that it is not recognized as the password delimiter. Similarly,
32you must escape the double quote character as \" so that it is not recognized
33as an escape character.
34
35If curl is built against OpenSSL library, and the engine pkcs11 is available,
36then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in
37a PKCS#11 device. A string beginning with `pkcs11:` is interpreted as a
38PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option is set as
39`pkcs11` if none was provided and the --cert-type option is set as `ENG` if
40none was provided.
41
42(iOS and macOS only) If curl is built against Secure Transport, then the
43certificate string can either be the name of a certificate/private key in the
44system or user keychain, or the path to a PKCS#12-encoded certificate and
45private key. If you want to use a file from the current directory, please
46precede it with `./` prefix, in order to avoid confusion with a nickname.
47
48(Schannel only) Client certificates must be specified by a path expression to
49a certificate store. (Loading *PFX* is not supported; you can import it to a
50store first). You can use "\<store location\>\\<store name\>\\<thumbprint\>"
51to refer to a certificate in the system certificates store, for example,
52*"CurrentUser\MY\934a7ac6f8a5d579285a74fa61e19f23ddfe8d7a"*. Thumbprint is
53usually a SHA-1 hex string which you can see in certificate details. Following
54store locations are supported: *CurrentUser*, *LocalMachine*,
55*CurrentService*, *Services*, *CurrentUserGroupPolicy*,
56*LocalMachineGroupPolicy* and *LocalMachineEnterprise*.
57