TL;DR
Yes, you can block a rogue Certificate Authority (CA) using cURL by modifying its CA bundle or providing a custom one. This prevents cURL from trusting certificates issued by that untrusted CA.
How to Block a Rogue CA with cURL
- Understand the CA Bundle: cURL uses a file called a ‘CA bundle’ which contains a list of trusted root certificates. When connecting to an HTTPS server, cURL checks if the server’s certificate (and any intermediate certificates) are signed by a CA in this bundle. If not, it will refuse the connection.
- The default location of the CA bundle varies depending on your operating system:
- Linux: Usually
/etc/ssl/certs/ca-certificates.crt - macOS: cURL uses the system’s trust store, managed by Keychain Access.
- Windows: cURL often relies on the Windows Certificate Store.
- Linux: Usually
- The default location of the CA bundle varies depending on your operating system:
- Locate Your Current CA Bundle (Linux Example): You can find out which CA bundle cURL is using with:
curl -v https://example.com 2>> /dev/null | grep 'CAfile:'This command redirects the verbose output to avoid clutter and only shows the line containing the CA file path.
- Create a Custom CA Bundle: The safest approach is to create a new, custom CA bundle instead of modifying the system-wide one. This avoids potential issues with other applications that rely on the default bundle.
- Copy your existing CA bundle:
cp /etc/ssl/certs/ca-certificates.crt my_custom_ca_bundle.crt - Edit
my_custom_ca_bundle.crtwith a text editor (e.g.,nano,vim). Remove the certificate(s) of the rogue CA from this file.Important: Be very careful when editing the bundle! Removing legitimate certificates will break connections to trusted sites.
- Copy your existing CA bundle:
- Tell cURL to Use Your Custom Bundle: You can specify the custom CA bundle using the
--cacertoption:curl --cacert my_custom_ca_bundle.crt https://example.com - Test the Block: If the rogue CA is blocked, cURL should now fail to connect to servers using certificates issued by that CA.
- If you’re unsure if a server uses a certificate from the rogue CA, use
curl -v https://example.comand look for the CA name in the output.
- If you’re unsure if a server uses a certificate from the rogue CA, use
- macOS (Using Keychain Access):
- Open Keychain Access (Applications > Utilities).
- Find the rogue CA certificate in the ‘System’ keychain.
- Double-click the certificate and change its trust settings to ‘Never Trust’.
- Windows (Using Certificate Manager):
- Open Certificate Manager (Run > certmgr.msc).
- Navigate to Trusted Root Certification Authorities > Certificates.
- Find the rogue CA certificate, right-click and select ‘Properties’.
- On the ‘General’ tab, disable the option ‘Enable all programs to trust this root store certificate’.
Important Considerations
- Regular Updates: Keep your CA bundle updated regularly to ensure you have the latest information about trusted and revoked certificates.
- Specificity: Only block the specific rogue CA certificate(s) if possible, rather than removing entire CAs. This minimizes disruption to legitimate connections.
- System-Wide vs. Application-Specific: Modifying the system-wide CA bundle affects all applications that use it. Using a custom bundle for cURL only affects cURL itself.