eefd03c572
- configure/cmake support for enabling the option - supported in OpenSSL and GnuTLS backends - when configured, Apple SecTrust is the default trust store for peer verification. When one of the CURLOPT_* for adding certificates is used, that default does not apply. - add documentation of build options and SSL use Closes #18703
1.5 KiB
| c | SPDX-License-Identifier | Long | Help | Protocols | Category | Added | Multi | See-also | Example | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. | curl | ca-native | Load CA certs from the OS | TLS | tls | 8.2.0 | boolean |
|
|
--ca-native
Use the operating system's native CA store for certificate verification.
This option is independent of other CA certificate locations set at run time or build time. Those locations are searched in addition to the native CA store.
This option works with OpenSSL and its forks (LibreSSL, BoringSSL, etc) on Windows (Added in 7.71.0) and on Apple OS when libcurl is built with Apple SecTrust enabled. (Added in 8.17.0)
This option works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL), macOS, Android and iOS. (Added in 8.3.0)
This option works with GnuTLS (Added in 8.5.0) and also uses Apple SecTrust when libcurl is built with it. (Added in 8.17.0)
This option works with rustls on Windows, macOS, Android and iOS. On Linux it is equivalent to using the Mozilla CA certificate bundle. When used with rustls only the native CA store is consulted, not other locations set at run time or build time. (Added in 8.13.0)
This option currently has no effect for Schannel. This is the native TLS library from Microsoft, that by default uses the native CA store for verification unless overridden by a CA certificate location setting.