| xf.li | 6c8fc1e | 2023-08-12 00:11:09 -0700 | [diff] [blame^] | 1 | c: Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. |
| 2 | SPDX-License-Identifier: curl |
| 3 | Short: E |
| 4 | Long: cert |
| 5 | Arg: <certificate[:password]> |
| 6 | Help: Client certificate file and password |
| 7 | Protocols: TLS |
| 8 | See-also: cert-type key key-type |
| 9 | Category: tls |
| 10 | Example: --cert certfile --key keyfile $URL |
| 11 | Added: 5.0 |
| 12 | Multi: single |
| 13 | --- |
| 14 | Tells curl to use the specified client certificate file when getting a file |
| 15 | with HTTPS, FTPS or another SSL-based protocol. The certificate must be in |
| 16 | PKCS#12 format if using Secure Transport, or PEM format if using any other |
| 17 | engine. If the optional password is not specified, it will be queried for on |
| 18 | the terminal. Note that this option assumes a certificate file that is the |
| 19 | private key and the client certificate concatenated. See --cert and --key to |
| 20 | specify them independently. |
| 21 | |
| 22 | In the <certificate> portion of the argument, you must escape the character ":" |
| 23 | as "\\:" so that it is not recognized as the password delimiter. Similarly, you |
| 24 | must escape the character "\\" as "\\\\" so that it is not recognized as an |
| 25 | escape character. |
| 26 | |
| 27 | If curl is built against the NSS SSL library then this option can tell |
| 28 | curl the nickname of the certificate to use within the NSS database defined |
| 29 | by the environment variable SSL_DIR (or by default /etc/pki/nssdb). If the |
| 30 | NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be |
| 31 | loaded. |
| 32 | |
| 33 | If you provide a path relative to the current directory, you must prefix the |
| 34 | path with "./" in order to avoid confusion with an NSS database nickname. |
| 35 | |
| 36 | If curl is built against OpenSSL library, and the engine pkcs11 is available, |
| 37 | then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in |
| 38 | a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a |
| 39 | PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set |
| 40 | as "pkcs11" if none was provided and the --cert-type option will be set as |
| 41 | "ENG" if none was provided. |
| 42 | |
| 43 | (iOS and macOS only) If curl is built against Secure Transport, then the |
| 44 | certificate string can either be the name of a certificate/private key in the |
| 45 | system or user keychain, or the path to a PKCS#12-encoded certificate and |
| 46 | private key. If you want to use a file from the current directory, please |
| 47 | precede it with "./" prefix, in order to avoid confusion with a nickname. |
| 48 | |
| 49 | (Schannel only) Client certificates must be specified by a path |
| 50 | expression to a certificate store. (Loading PFX is not supported; you can |
| 51 | import it to a store first). You can use |
| 52 | "<store location>\\<store name>\\<thumbprint>" to refer to a certificate |
| 53 | in the system certificates store, for example, |
| 54 | "CurrentUser\\MY\\934a7ac6f8a5d579285a74fa61e19f23ddfe8d7a". Thumbprint is |
| 55 | usually a SHA-1 hex string which you can see in certificate details. Following |
| 56 | store locations are supported: CurrentUser, LocalMachine, CurrentService, |
| 57 | Services, CurrentUserGroupPolicy, LocalMachineGroupPolicy, |
| 58 | LocalMachineEnterprise. |