ca-bundle.crt

Information on obtaining or building a ca-bundle.crt file

What is ca-bundle.crt?

ca-bundle.crt is a file that contains well known root CAcertificates.(What is a root CA?)

What is it used for?

It is used by openssl to validate certificates issued by well known root CAs.  It is also used by any third party applications that use openssl, and some that don't.

Why do I need to get ca-bundle.crt here/Why do I need to build it myself?  Why isn't it provided by (insert your tool here) developers?

It was originally produced by Netscape.  However, after version 4.x, Netscape no longer uses the ca-bundle.crt format.  3rd party products (like openssl) still do use it.  Most of the versions of ca-bundle.crt floating around the net are very old.

In any case, you may feel safer building it yourself.  Building it yourself lets you decide what root CAs you want to trust.

Forget about building it myself, where can I get a pre-built copy?

Here's one I buiilt using Mozilla's NSS library v3.7 built-in "Builtin Roots Module" : ca-bundle.crt

SHA1 sum : 0498c8ef0fa22f241cd2bcc4b27b71714f39348c
MD5 sum :   83e2ea55aeb9fc9578554decfb0ec5f6

How do I go about building ca-bundle.crt myself?

First, you'll need a bunch of root CA certificates that you trust :)

I recommend getting Mozilla's list.  Its destributed in their NSS sourcecode.  Here are the steps/code to produce ca-bundle.crt from NSS code :

The following instructions have been tried on Mandrake linux 8.2

  1. Download Mozilla's NSS code : nss 3.7 release notes
  2. Download dumpCerts.java and create_bundle.sh from certifie.com.
  3. build dumpCerts.java
  4. Install a Mozilla browser.
  5. run dumpCerts.java
  6. That's it.

I've got some special CA certs not included by Mozilla that I wan't to add to ca-bundle.crt.  How can I add them?

You can use create_bundle.sh.  It is called by dumpCerts.java to build the ca-bundle.crt file from NSS data.  It may also be run stand-alone and its output appended to ca-bundle.crt.  You may also want to cut and paste its output into ca-bundle.crt to keep it alphabetized properly (if your picky).

What license is your code distributed under?  Can I use it for commercial uses?

You may use the two files  dumpCerts.java and   create_bundle.sh however you'd like, although I make no claims that they will function correctly.  Use them at your own risk.  

The file ca-bundle.crt is provided here under the assumption that it is data/facts and may be used freely by anyone who wishes to use it.

I have some additional questions.  How may I contact you to ask them?

You can contact me at : questions@certifie.com