Information on obtaining or building a
What is ca-bundle.crt?
ca-bundle.crt is a file that contains well known root CAcertificates.(What is a root CA?)
What is it used for?
It is used by openssl to validate
certificates issued by well known root CAs. It is also used by any
third party applications that use openssl, and some that don't.
Why do I need to get ca-bundle.crt here/Why do I need to build it
myself? Why isn't it provided by (insert your tool here)
It was originally produced by Netscape. However, after version
4.x, Netscape no longer uses the ca-bundle.crt format. 3rd party
products (like openssl) still do use
it. Most of the versions of ca-bundle.crt floating around the net
are very old.
In any case, you may feel safer building it yourself. Building it
yourself lets you decide what root CAs you want to trust.
Forget about building it myself, where can I get a pre-built copy?
Here's one I buiilt using Mozilla's NSS library v3.7 built-in "Builtin
Roots Module" : ca-bundle.crt
SHA1 sum : 0498c8ef0fa22f241cd2bcc4b27b71714f39348c
MD5 sum : 83e2ea55aeb9fc9578554decfb0ec5f6
How do I go about building ca-bundle.crt myself?
First, you'll need a bunch of root CA certificates that you trust :)
I recommend getting Mozilla's list. Its destributed in their NSS
sourcecode. Here are the steps/code to produce ca-bundle.crt from
NSS code :
The following instructions have been tried on Mandrake linux 8.2
- Download Mozilla's NSS code : nss
3.7 release notes
- Download dumpCerts.java
and create_bundle.sh from
- build dumpCerts.java
Install a Mozilla browser.
- use jss33.jar from NSS
- javac -classpath jss33.jar dumpCerts.java
- Set LD_LIBRARY_PATH to the directory where you have put NSS.
it should point to a directory that has nss/lib under it.
- run : java -classpath .:jss33.jar dumpCerts
$HOME/.mozilla/default/<user dir>.slt/ ca-bundle.crt
I've got some special CA certs not included by Mozilla that I wan't
to add to ca-bundle.crt. How can I add them?
You can use create_bundle.sh.
It is called by dumpCerts.java to build the ca-bundle.crt file
from NSS data. It may also be run stand-alone and its output
appended to ca-bundle.crt. You may also want to cut and paste its
output into ca-bundle.crt to keep it alphabetized properly (if your
What license is your code distributed under? Can I use it for
You may use the two files dumpCerts.java
however you'd like, although I make no claims that they will function
correctly. Use them at your own risk.
The file ca-bundle.crt is provided here under the
assumption that it is data/facts and may be used freely by anyone who
wishes to use it.
I have some additional questions. How may I contact you to
You can contact me at : firstname.lastname@example.org