ca-bundle.crt
Information on obtaining or building a
ca-bundle.crt file
What is ca-bundle.crt?
ca-bundle.crt is a file that contains well known root CAcertificates.(What is a root CA?)
What is it used for?
It is used by openssl to validate
certificates issued by well known root CAs. It is also used by any
third party applications that use openssl, and some that don't.
Why do I need to get ca-bundle.crt here/Why do I need to build it
myself? Why isn't it provided by (insert your tool here)
developers?
It was originally produced by Netscape. However, after version
4.x, Netscape no longer uses the ca-bundle.crt format. 3rd party
products (like openssl) still do use
it. Most of the versions of ca-bundle.crt floating around the net
are very old.
In any case, you may feel safer building it yourself. Building it
yourself lets you decide what root CAs you want to trust.
Forget about building it myself, where can I get a pre-built copy?
Here's one I buiilt using Mozilla's NSS library v3.7 built-in "Builtin
Roots Module" : ca-bundle.crt
SHA1 sum : 0498c8ef0fa22f241cd2bcc4b27b71714f39348c
MD5 sum : 83e2ea55aeb9fc9578554decfb0ec5f6
How do I go about building ca-bundle.crt myself?
First, you'll need a bunch of root CA certificates that you trust :)
I recommend getting Mozilla's list. Its destributed in their NSS
sourcecode. Here are the steps/code to produce ca-bundle.crt from
NSS code :
The following instructions have been tried on Mandrake linux 8.2
- Download Mozilla's NSS code : nss
3.7 release notes
- Download dumpCerts.java
and create_bundle.sh from
certifie.com.
- build dumpCerts.java
- use jss33.jar from NSS
- javac -classpath jss33.jar dumpCerts.java
- Install a Mozilla browser.
- run dumpCerts.java
- Set LD_LIBRARY_PATH to the directory where you have put NSS.
it should point to a directory that has nss/lib under it.
- run : java -classpath .:jss33.jar dumpCerts
$HOME/.mozilla/default/<user dir>.slt/ ca-bundle.crt
- That's it.
I've got some special CA certs not included by Mozilla that I wan't
to add to ca-bundle.crt. How can I add them?
You can use create_bundle.sh.
It is called by dumpCerts.java to build the ca-bundle.crt file
from NSS data. It may also be run stand-alone and its output
appended to ca-bundle.crt. You may also want to cut and paste its
output into ca-bundle.crt to keep it alphabetized properly (if your
picky).
What license is your code distributed under? Can I use it for
commercial uses?
You may use the two files dumpCerts.java
and create_bundle.sh
however you'd like, although I make no claims that they will function
correctly. Use them at your own risk.
The file ca-bundle.crt is provided here under the
assumption that it is data/facts and may be used freely by anyone who
wishes to use it.
I have some additional questions. How may I contact you to
ask them?
You can contact me at : questions@certifie.com