CA Cert issue has me stumped

James Simister jsimister at
Fri Nov 15 11:31:43 MST 2019

If you use the --cacert option, I think you need to make sure the pem file
is a bundle of certificates, including the entire chain back to the root
cert. There is also a --capath option where you can specify a directory of
certificates that can be used. If using openssl, use the c_rehash command
to reprocess the certificates if you've added or removed any in the

On Fri, Nov 15, 2019, 11:02 AM Barry Roberts <blr at> wrote:

> My employer, in their infinite wisdom, has implement an TLS inspection
> proxy (MITM attack), and I'm trying to figure out how to get everything
> working again on Fedora 30.
> I have a .pem file that I downloaded with firefox.  If I use keytool to
> import that into the java cacerts keystore, that fixes issues with java.
> So I'm pretty sure my .pem file is good.
> But I cannot get curl to use the .pem file to trust the ZScaler's CA cert.
> I've tried:
> 1. curl --cacert mitm.pem
> 2. Adding the .pem file to /etc/pki/ca-trust/source/anchors/, and making
> sure it's in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (and its
> symlink /etc/pki/tls/certs/ca-bundle.crt) after running 'update-ca-trust'
> 3. curl --cacert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> Curl consistently complains that it can't verify the tls cert.  I'm
> probably missing something obvious here, but I'm stuck.  Any ideas or
> suggestions?
> Thanks,
> Barry
> /*
> PLUG:, #utah on
> Unsubscribe:
> Don't fear the penguin.
> */

More information about the PLUG mailing list