Skip to main content

How to update cURL CA bundle on RedHat? [Resolved]

I am running into issues where the CA bundle that has been bundled with my version of cURL is outdated.

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here:

Reading through the documentation didn't help me because I didn't understand what I needed to do or how to do it. I am running RedHat and need to update the CA bundle. What do I need to do to update my CA bundle on RedHat?

Question Credit: Andrew
Question Reference
Asked June 8, 2016
Posted Under: Network
5 Answers

The recommended way of doing that on RHEL 6+ systems is to use update-ca-trust tool, which is now installed by default.

# cat /etc/pki/ca-trust/source/README 
This directory /etc/pki/ca-trust/source/ contains CA certificates and 
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in 

QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
            list of CAs trusted on the system:

            Copy it to the
            subdirectory, and run the

            If your certificate is in the extended BEGIN TRUSTED file format,
            then place it into the main source/ directory instead.

Please refer to the update-ca-trust(8) manual page for additional information

Therefore, you only need to drop your crt file to the /etc/pki/ca-trust/source/anchors/ and to run the tool. Work done. This is safe to do, you don't need to do any backups. Full manual page can be found here:

credit: lzap
Answered June 8, 2016

RHEL provides the Mozilla CA certificates as part of the ca-certificates package (install this with yum if it's not already installed). To tell cURL to use these, use the --cacert parameter like so.

curl --cacert /etc/ssl/certs/ca-bundle.crt

credit: mgorven
Answered June 8, 2016
I'm using RHEL7 on AWS EC2, I just upgraded my package to ca-certificates.noarch 0:2014.1.98-70.0.el7_0 - it didn't solve my problem unfortunately, but just thought I'd add this information. – DuffJ Feb 9 '15 at 18:44
 CanDoerz  3 years ago
RHEL6 has this package; i'm guessing you are using an older version. Unfortunately the list hasn't changed since 2010, thanks for keeping us up to date redhat. – Dan Pritts Jan 23 '13 at 22:30
 CanDoerz  3 years ago
I tried yum install ca-certificates and got No package ca-certificates available – Andrew Jun 1 '12 at 18:31
 CanDoerz  3 years ago

Probably depends which version of Redhat. You can find which package actually updates the file by doing:

rpm -qf /etc/pki/tls/certs/ca-bundle.crt

My result was showing that openssl-0.9.8e-12.el5 needs to be updated.

If there is no updated certificates in your distribution, you have to manually update, as per Nada's answer.

credit: EightBitTony
Answered June 8, 2016
Your Answer