1---
2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
3SPDX-License-Identifier: curl
4Title: CURLOPT_ISSUERCERT
5Section: 3
6Source: libcurl
7See-also:
8  - CURLOPT_CRLFILE (3)
9  - CURLOPT_SSL_VERIFYHOST (3)
10  - CURLOPT_SSL_VERIFYPEER (3)
11Protocol:
12  - TLS
13TLS-backend:
14  - OpenSSL
15  - GnuTLS
16Added-in: 7.19.0
17---
18
19# NAME
20
21CURLOPT_ISSUERCERT - issuer SSL certificate filename
22
23# SYNOPSIS
24
25~~~c
26#include <curl/curl.h>
27
28CURLcode curl_easy_setopt(CURL *handle, CURLOPT_ISSUERCERT, char *file);
29~~~
30
31# DESCRIPTION
32
33Pass a char pointer to a null-terminated string naming a *file* holding a CA
34certificate in PEM format. If the option is set, an additional check against
35the peer certificate is performed to verify the issuer is indeed the one
36associated with the certificate provided by the option. This additional check
37is useful in multi-level PKI where one needs to enforce that the peer
38certificate is from a specific branch of the tree.
39
40This option makes sense only when used in combination with the
41CURLOPT_SSL_VERIFYPEER(3) option. Otherwise, the result of the check is
42not considered as failure.
43
44A specific error code (CURLE_SSL_ISSUER_ERROR) is defined with the option,
45which is returned if the setup of the SSL/TLS session has failed due to a
46mismatch with the issuer of peer certificate (CURLOPT_SSL_VERIFYPEER(3)
47has to be set too for the check to fail). (Added in 7.19.0)
48
49Using this option multiple times makes the last set string override the
50previous ones. Set it to NULL to disable its use again.
51
52The application does not have to keep the string around after setting this
53option.
54
55# DEFAULT
56
57NULL
58
59# %PROTOCOLS%
60
61# EXAMPLE
62
63~~~c
64int main(void)
65{
66  CURL *curl = curl_easy_init();
67  if(curl) {
68    CURLcode res;
69    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
70    curl_easy_setopt(curl, CURLOPT_ISSUERCERT, "/etc/certs/cacert.pem");
71    res = curl_easy_perform(curl);
72    curl_easy_cleanup(curl);
73  }
74}
75~~~
76
77# %AVAILABILITY%
78
79# RETURN VALUE
80
81Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or
82CURLE_OUT_OF_MEMORY if there was insufficient heap space.
83