curl/docs/cmdline-opts/ca-native.md
Jay Satiro 2335cbaa21 ca-native.md: sync with CURLSSLOPT_NATIVE_CA
- Add that the native CA store is used to verify certs in addition to
  the other certificate location settings.

Basically clarify that --ca-native does not override --cacert etc.

Prior to this change that behavior was only documented in
CURLSSLOPT_NATIVE_CA which is what --ca-native maps to.

Ref: https://github.com/curl/curl/pull/16181#issuecomment-2663998865

Closes https://github.com/curl/curl/pull/16373
2025-02-19 03:39:52 -05:00

38 lines
1.1 KiB
Markdown

---
c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
SPDX-License-Identifier: curl
Long: ca-native
Help: Load CA certs from the OS
Protocols: TLS
Category: tls
Added: 8.2.0
Multi: boolean
See-also:
- cacert
- capath
- dump-ca-embed
- insecure
- proxy-ca-native
Example:
- --ca-native $URL
---
# `--ca-native`
Use the operating system's native CA store for certificate verification.
This option is independent of other CA certificate locations set at run time or
build time. Those locations are searched in addition to the native CA store.
This option works with OpenSSL and its forks (LibreSSL, BoringSSL, etc) on
Windows. (Added in 7.71.0)
This option works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo,
Fedora, RHEL), macOS, Android and iOS. (Added in 8.3.0)
This option works with GnuTLS. (Added in 8.5.0)
This option currently has no effect for Schannel or Secure Transport. Those are
native TLS libraries from Microsoft and Apple, respectively, that by default
use the native CA store for verification unless overridden by a CA certificate
location setting.