1--- 2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3SPDX-License-Identifier: curl 4Long: cacert 5Arg: <file> 6Help: CA certificate to verify peer against 7Protocols: TLS 8Category: tls 9Added: 7.5 10Multi: single 11See-also: 12 - capath 13 - insecure 14Example: 15 - --cacert CA-file.txt $URL 16--- 17 18# `--cacert` 19 20Use the specified certificate file to verify the peer. The file may contain 21multiple CA certificates. The certificate(s) must be in PEM format. Normally 22curl is built to use a default file for this, so this option is typically used 23to alter that default file. 24 25curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is set 26and the TLS backend is not Schannel, and uses the given path as a path to a CA 27cert bundle. This option overrides that variable. 28 29The windows version of curl automatically looks for a CA certs file named 30'curl-ca-bundle.crt', either in the same directory as curl.exe, or in the 31Current Working Directory, or in any folder along your PATH. 32 33(iOS and macOS only) If curl is built against Secure Transport, then this 34option is supported for backward compatibility with other SSL engines, but it 35should not be set. If the option is not set, then curl uses the certificates 36in the system and user Keychain to verify the peer, which is the preferred 37method of verifying the peer's certificate chain. 38 39(Schannel only) This option is supported for Schannel in Windows 7 or later 40(added in 7.60.0). This option is supported for backward compatibility with 41other SSL engines; instead it is recommended to use Windows' store of root 42certificates (the default for Schannel). 43