1 Short: E 2 Long: cert 3 Arg: <certificate[:password]> 4 Help: Client certificate file and password 5 Protocols: TLS 6 See-also: cert-type key key-type 7 Category: tls 8 Example: --cert certfile --key keyfile $URL 9 Added: 5.0 10 --- 11 Tells curl to use the specified client certificate file when getting a file 12 with HTTPS, FTPS or another SSL-based protocol. The certificate must be in 13 PKCS#12 format if using Secure Transport, or PEM format if using any other 14 engine. If the optional password is not specified, it will be queried for on 15 the terminal. Note that this option assumes a \&"certificate" file that is the 16 private key and the client certificate concatenated! See --cert and --key to 17 specify them independently. 18 19 If curl is built against the NSS SSL library then this option can tell 20 curl the nickname of the certificate to use within the NSS database defined 21 by the environment variable SSL_DIR (or by default /etc/pki/nssdb). If the 22 NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be 23 loaded. If you want to use a file from the current directory, please precede 24 it with "./" prefix, in order to avoid confusion with a nickname. If the 25 nickname contains ":", it needs to be preceded by "\\" so that it is not 26 recognized as password delimiter. If the nickname contains "\\", it needs to 27 be escaped as "\\\\" so that it is not recognized as an escape character. 28 29 If curl is built against OpenSSL library, and the engine pkcs11 is available, 30 then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in 31 a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a 32 PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set 33 as "pkcs11" if none was provided and the --cert-type option will be set as 34 "ENG" if none was provided. 35 36 (iOS and macOS only) If curl is built against Secure Transport, then the 37 certificate string can either be the name of a certificate/private key in the 38 system or user keychain, or the path to a PKCS#12-encoded certificate and 39 private key. If you want to use a file from the current directory, please 40 precede it with "./" prefix, in order to avoid confusion with a nickname. 41 42 (Schannel only) Client certificates must be specified by a path 43 expression to a certificate store. (Loading PFX is not supported; you can 44 import it to a store first). You can use 45 "<store location>\\<store name>\\<thumbprint>" to refer to a certificate 46 in the system certificates store, for example, 47 "CurrentUser\\MY\\934a7ac6f8a5d579285a74fa61e19f23ddfe8d7a". Thumbprint is 48 usually a SHA-1 hex string which you can see in certificate details. Following 49 store locations are supported: CurrentUser, LocalMachine, CurrentService, 50 Services, CurrentUserGroupPolicy, LocalMachineGroupPolicy, 51 LocalMachineEnterprise. 52 53 If this option is used several times, the last one will be used. 54