CA Cert issue has me stumped

Barry Roberts blr at
Fri Nov 15 11:02:38 MST 2019

My employer, in their infinite wisdom, has implement an TLS inspection
proxy (MITM attack), and I'm trying to figure out how to get everything
working again on Fedora 30.

I have a .pem file that I downloaded with firefox.  If I use keytool to
import that into the java cacerts keystore, that fixes issues with java.
So I'm pretty sure my .pem file is good.

But I cannot get curl to use the .pem file to trust the ZScaler's CA cert.
I've tried:

1. curl --cacert mitm.pem
2. Adding the .pem file to /etc/pki/ca-trust/source/anchors/, and making
sure it's in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (and its
symlink /etc/pki/tls/certs/ca-bundle.crt) after running 'update-ca-trust'
3. curl --cacert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Curl consistently complains that it can't verify the tls cert.  I'm
probably missing something obvious here, but I'm stuck.  Any ideas or


More information about the PLUG mailing list