CA certificates extracted from Mozilla
The Mozilla CA certificate store in PEM format (around 200KB uncompressed):
This bundle was generated at Tue Aug 22 03:12:04 2023 GMT .
This PEM file contains the datestamp of the conversion and we only make a new conversion if there's a change in either the script or the source file. This service checks for updates every day. Here's the sha256sum of the current PEM file.
Some programs will expect this file to be named ca-bundle.crt (in the correct path). curl on windows has a system to find it if named curl-ca-bundle.crt.
CA file revisions per date of appearance
Missing Name Constraints
The converted PEM file only contains the digital signatures for CAs. Several of those CAs have constraints in Firefox (and other browsers) to only be allowed for certain domains and other similar additional conditions. Those constraints are thus not brought along in this cacert file!
CA certificate store license
The PEM file is only a converted version of the original one and thus it is licensed under the same license as the Mozilla source file: MPL 2.0
Automated downloads from here
We don't mind you downloading the PEM file from us in an automated fashion.
A suitable curl command line to only download it when it has changed:
curl --etag-compare etag.txt --etag-save etag.txt --remote-name https://curl.se/ca/cacert.pemOr if you use an ancient curl version that doesn't support etags:
curl --remote-name --time-cond cacert.pem https://curl.se/ca/cacert.pem
The conversion script mk-ca-bundle
Convert from your local Firefox installation
You can also extract the ca certs off your Firefox installation, if you just have the 'certutil' tool installed and run the firefox-db2pem.sh script!