xref: /curl/docs/libcurl/opts/CURLOPT_SSLCERT.md (revision e3fe0200) 
1---
2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
3SPDX-License-Identifier: curl
4Title: CURLOPT_SSLCERT
5Section: 3
6Source: libcurl
7See-also:
8  - CURLOPT_KEYPASSWD (3)
9  - CURLOPT_SSLCERTTYPE (3)
10  - CURLOPT_SSLKEY (3)
11Protocol:
12  - TLS
13TLS-backend:
14  - OpenSSL
15  - GnuTLS
16  - mbedTLS
17  - Schannel
18  - Secure Transport
19  - wolfSSL
20---
21
22# NAME
23
24CURLOPT_SSLCERT - SSL client certificate
25
26# SYNOPSIS
27
28~~~c
29#include <curl/curl.h>
30
31CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLCERT, char *cert);
32~~~
33
34# DESCRIPTION
35
36Pass a pointer to a null-terminated string as parameter. The string should be
37the filename of your client certificate. The default format is `P12` on Secure
38Transport and `PEM` on other engines, and can be changed with
39CURLOPT_SSLCERTTYPE(3).
40
41With Secure Transport, this can also be the nickname of the certificate you
42wish to authenticate with as it is named in the security database. If you want
43to use a file from the current directory, please precede it with `./` prefix,
44in order to avoid confusion with a nickname.
45
46(Schannel only) Client certificates can be specified by a path expression to a
47certificate store. (You can import *PFX* to a store first). You can use
48"\<store location\>\\\<store name\>\\\<thumbprint\>" to refer to a certificate
49in the system certificates store, for example,
50**"CurrentUser\\MY\\934a7ac6f8a5d579285a74fa"**. The thumbprint is usually a
51SHA-1 hex string which you can see in certificate details. Following store
52locations are supported: **CurrentUser**, **LocalMachine**,
53**CurrentService**, **Services**, **CurrentUserGroupPolicy**,
54**LocalMachineGroupPolicy**, **LocalMachineEnterprise**. Schannel also support
55P12 certificate file, with the string `P12` specified with
56CURLOPT_SSLCERTTYPE(3).
57
58When using a client certificate, you most likely also need to provide a
59private key with CURLOPT_SSLKEY(3).
60
61The application does not have to keep the string around after setting this
62option.
63
64# DEFAULT
65
66NULL
67
68# EXAMPLE
69
70~~~c
71int main(void)
72{
73  CURL *curl = curl_easy_init();
74  if(curl) {
75    CURLcode res;
76    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
77    curl_easy_setopt(curl, CURLOPT_SSLCERT, "client.pem");
78    curl_easy_setopt(curl, CURLOPT_SSLKEY, "key.pem");
79    curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "s3cret");
80    res = curl_easy_perform(curl);
81    curl_easy_cleanup(curl);
82  }
83}
84~~~
85
86# AVAILABILITY
87
88If built TLS enabled.
89
90# RETURN VALUE
91
92Returns CURLE_OK if TLS enabled, CURLE_UNKNOWN_OPTION if not, or
93CURLE_OUT_OF_MEMORY if there was insufficient heap space.
94