--cacert和--capath在curl中的区别? [英] Difference between --cacert and --capath in curl?
问题描述
在总会有使用 - 在选项主场迎战 c> curl (是CLI)。
When would one use the --cacert option vs. the --capath option within curl (CLI that is).
- cacert 出现以引用包含多个PEM的单片文件。 ?假设它会扫描通过查找匹配的主机名
--cacert appears to reference a monolithic file that contains multiple PEMs. Assume it scans through to find the matching hostname?
- capath 出现引用一个目录中的多个文件生活。 ?是否卷曲拿起合适的证书作为文件名,其中
--capath appears to reference a directory in which multiple files live. Does curl pick up the appropriate certificate as a filename therein?
推荐答案
从的文档:
- CACERT(HTTPS)告诉curl使用指定的证书文件来验证对等体。该文件可能包含多个CA证书。
证书必须为PEM格式。如果使用此选项几个
次,最后一次将被用来
--cacert (HTTPS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. If this option is used several times, the last one will be used.
- capath(HTTPS)告知卷曲使用指定的证书目录验证对等体。证书必须是PEM格式,并且
目录必须已使用c_rehash实用程序提供的
与openssl处理。在Windows
下不支持证书目录(因为c_rehash使用符号链接来创建它们)。如果--cacert文件包含许多CA证书,则使用--capath
可以允许curl使用--cacert使$ https $比
更有效率。如果
这个选项被使用多次,将使用最后一个。
--capath (HTTPS) Tells curl to use the specified certificate directory to verify the peer. The certificates must be in PEM format, and the directory must have been processed using the c_rehash utility supplied with openssl. Certificate directories are not supported under Windows (because c_rehash uses symbolink links to create them). Using --capath can allow curl to make https connections much more efficiently than using --cacert if the --cacert file contains many CA certificates. If this option is used several times, the last one will be used.
,CA证书存储在指定的文件中。这些CA证书用于验证cURL连接到的远程服务器的证书。
So, if you specify --cacert, the CA certs are stored in the specified file. These CA certificates are used to verify the certs of remote servers that cURL connects to.
--capath选项用于指定包含CA证书的目录,而不是单个文件。应该使用c_rehash实用程序来准备目录,即创建必要的链接。使用--capath的主要好处是,如果你有很多CA证书,它比
--cacert单文件方法更有效。
The --capath option is used to specify a directory containing the CA certs rather than a single file. The c_rehash utility should be used to prepare the directory i.e., create the necessary links. The main benefit of using --capath would appear to be that it's more efficient than the --cacert single file approach if you have many CA certs.
这里有一个脚本,可能会做什么c_rehash做的:
Here's a script that probably does what c_rehash does:
for file in *.pem; do ln -s $file `openssl x509 -hash -noout -in $file`.0; done
对于这两个选项,您应该小心只包括您信任的CA的CA证书。例如,如果您知道远程服务器应始终从您的公司颁发证书,那么这是您应该包括的唯一CA证书。
With both options you should be careful to only include CA certs from CAs you trust. If for example, you know the remote servers should always be issued with certs from YourCompanyCA, then this is the only CA cert you should include.
这篇关于--cacert和--capath在curl中的区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
