Block Rogue CAs with cURL

TL;DR

Yes, you can block a rogue Certificate Authority (CA) using cURL by modifying its CA bundle or providing a custom one. This prevents cURL from trusting certificates issued by that untrusted CA.

How to Block a Rogue CA with cURL

1. Understand the CA Bundle: cURL uses a file called a ‘CA bundle’ which contains a list of trusted root certificates. When connecting to an HTTPS server, cURL checks if the server’s certificate (and any intermediate certificates) are signed by a CA in this bundle. If not, it will refuse the connection.
   • The default location of the CA bundle varies depending on your operating system:
     • Linux: Usually /etc/ssl/certs/ca-certificates.crt
     • macOS: cURL uses the system’s trust store, managed by Keychain Access.
     • Windows: cURL often relies on the Windows Certificate Store.
2. Locate Your Current CA Bundle (Linux Example): You can find out which CA bundle cURL is using with:

   curl -v https://example.com 2>> /dev/null | grep 'CAfile:'

   This command redirects the verbose output to avoid clutter and only shows the line containing the CA file path.

3. Create a Custom CA Bundle: The safest approach is to create a new, custom CA bundle instead of modifying the system-wide one. This avoids potential issues with other applications that rely on the default bundle.
   • Copy your existing CA bundle:

     cp /etc/ssl/certs/ca-certificates.crt my_custom_ca_bundle.crt

   • Edit my_custom_ca_bundle.crt with a text editor (e.g., nano, vim). Remove the certificate(s) of the rogue CA from this file.

     Important: Be very careful when editing the bundle! Removing legitimate certificates will break connections to trusted sites.

4. Tell cURL to Use Your Custom Bundle: You can specify the custom CA bundle using the --cacert option:

   curl --cacert my_custom_ca_bundle.crt https://example.com

5. Test the Block: If the rogue CA is blocked, cURL should now fail to connect to servers using certificates issued by that CA.
   • If you’re unsure if a server uses a certificate from the rogue CA, use curl -v https://example.com and look for the CA name in the output.
6. macOS (Using Keychain Access):
   • Open Keychain Access (Applications > Utilities).
   • Find the rogue CA certificate in the ‘System’ keychain.
   • Double-click the certificate and change its trust settings to ‘Never Trust’.
7. Windows (Using Certificate Manager):
   • Open Certificate Manager (Run > certmgr.msc).
   • Navigate to Trusted Root Certification Authorities > Certificates.
   • Find the rogue CA certificate, right-click and select ‘Properties’.
   • On the ‘General’ tab, disable the option ‘Enable all programs to trust this root store certificate’.

Important Considerations

• Regular Updates: Keep your CA bundle updated regularly to ensure you have the latest information about trusted and revoked certificates.
• Specificity: Only block the specific rogue CA certificate(s) if possible, rather than removing entire CAs. This minimizes disruption to legitimate connections.
• System-Wide vs. Application-Specific: Modifying the system-wide CA bundle affects all applications that use it. Using a custom bundle for cURL only affects cURL itself.