The Mozilla CA certificate store in PEM format (around 200KB uncompressed):
This bundle was generated at Tue Sep 9 03:12:01 2025 GMT .
This PEM file contains the datestamp of the conversion and we only make a new conversion if there is a change in either the script or the source file. This service checks for updates every day. Here's the sha256sum of the current PEM file.
Some programs will expect this file to be named ca-bundle.crt (in the correct path). curl on windows has a system to find it if named curl-ca-bundle.crt.
| Date | Certificates |
|---|---|
| 2025年09月09日 (sha256) | 146 |
| 2025年08月12日 (sha256) | 146 |
| 2025年07月15日 (sha256) | 143 |
| 2025年05月20日 (sha256) | 143 |
| 2025年02月25日 (sha256) | 150 |
| 2024年12月31日 (sha256) | 149 |
| 2024年11月26日 (sha256) | 152 |
| 2024年09月24日 (sha256) | 151 |
| 2024年07月02日 (sha256) | 147 |
| 2024年03月11日 (sha256) | 147 |
The converted PEM file only contains the digital signatures for CAs. Several of those CAs have constraints in Firefox (and other browsers) to only be allowed for certain domains and other similar additional conditions. Those constraints are thus not brought along in this cacert file!
The PEM file is only a converted version of the original one and thus it is licensed under the same license as the Mozilla source file: MPL 2.0
We do not mind you downloading the PEM file from us in an automated fashion.
A suitable curl command line to only download it when it has changed:
curl --etag-compare etag.txt --etag-save etag.txt --remote-name https://curl.se/ca/cacert.pemOr if you use an ancient curl version that does not support etags:
curl --remote-name --time-cond cacert.pem https://curl.se/ca/cacert.pem
The mk-ca-bundle tool converts Mozilla's certificate store to PEM format, suitable for (lib)curl and others.
You can also extract the ca certs off your Firefox installation, if you just have the 'certutil' tool installed and run the firefox-db2pem.sh script!