When sending a request to an HTTPS URL, Curl verifies the SSL certificate of the target URL against the local CA certificate store. For expired and self-signed certificates, Curl returns Certificate Verify Failed error message. To bypass certificate checking, pass -k or --insecure command-line switch to Curl. Click Run to execute the Curl HTTPS request online and see the results.
Curl is a command line tool for transferring data to and from servers. Curl supports over 25+ protocols including HTTP and HTTPS. Curl works on all modern platforms and hardware, including Linux, Windows, and macOS, and is widely used by developers to test APIs and automate tasks that involve sending data over the network and testing the availability of various services.
What is HTTPS?
HTTPS (Secure Hypertext Transfer Protocol) is a secure version of HTTP, the primary Internet protocol used to transfer data between a web browser and a website. HTTPS runs on top of the lower layer SSL protocol (stands for Secure Sockets Layer) and transfers data over the network in an encrypted form to improve data security and prevent unauthorized persons from reading this data. SSL and its more secure version called TLS (Transport Layer Security) use digital certificates and robust encryption algorithms to encrypt data.
How does Curl check HTTPS connections?
Curl verifies the SSL certificate of the target URL against the local CA certificate store that comes with the Curl installation. CA certificates are retrieved from the Mozilla CA certificate store and can be manually updated by downloading the cacert.pem file from the CA Extract website and replacing the curl-ca-bundle.crt file in the Curl installation folder. The connection is verified by testing that the server certificate contains the correct hostname and is up to date. For expired and self-signed SSL/TLS certificates, Curl returns the error: "SSL certificate problem, verify that the CA cert is OK."
How to allow insecure HTTPS connections using Curl?
To bypass certificate validation, pass the -k or --insecure flag to Curl. This will tell Curl to ignore certificate errors and accept insecure certificates without complaining about them.
CURL Insecure HTTPS Connection Example
curl -k https://reqbin.com/echo
How to send a client certificate using Curl?
To send a client certificate to the server when communicating over HTTPS or FTPS protocol, you can use the -E or --cert command-line switch. The client certificate must be in PKCS#12 format for Secure Transport or PEM format if using any other mechanism.
In some cases, you may need to use a different certificate chain than the one supplied with Curl. Certificate chains provide trust relationships between the certificates, where the CA certificate is at the beginning of the chain and the certificate of the site we want to navigate at the end of the chain. With the --cacert filename command line parameter, we can provide another CA, such as our company's local CA.