ca-certs -- detect root CA certificates from the operating system#
TLS requires a set of root anchors (Certificate Authorities) to authenticate servers. This library detects the OS trust store and exposes its certificates so they can be used with ocaml-tls or any X.509 validation workflow.
Usage#
Build a TLS authenticator from the OS trust store#
let () =
match Ca_certs.authenticator () with
| Ok authenticator ->
(match Tls.Config.client ~authenticator () with
| Ok tls_config -> ignore tls_config (* use for TLS connections *)
| Error (`Msg msg) ->
Format.eprintf "TLS config failed: %s\n" msg)
| Error (`Msg msg) ->
Format.eprintf "CA detection failed: %s\n" msg
API#
-
Ca_certs.authenticator ?crls ?allowed_hashes ()-- detect root CAs and build anX509.Authenticator.tusing the current system time. Suitable for passing directly toTls.Config.client. -
Ca_certs.trust_anchors ()-- return the PEM-encoded root certificates from the OS trust store as a string.
Installation#
Install with opam:
$ opam install nox-ca-certs
If opam cannot find the package, it may not yet be released in the public
opam-repository. Add the overlay repository, then install it:
$ opam repo add samoht https://tangled.org/gazagnaire.org/opam-overlay.git
$ opam update
$ opam install nox-ca-certs
Environment Variables#
SSL_CERT_FILE-- override the path to the system trust anchors (Unix).NIX_SSL_CERT_FILE-- fallback ifSSL_CERT_FILEis not set (NixOS).OCAML_EXTRA_CA_CERTS-- path to a PEM file with additional CAs to append.
Supported Platforms#
Works on Linux, macOS, FreeBSD, OpenBSD, Windows, and other Unix systems.
- Linux / FreeBSD / OpenBSD: reads PEM bundles from standard system paths
- macOS: uses the system keychain via
security find-certificate - Windows: uses the Windows certificate store via system APIs
On FreeBSD, install the ca_root_nss package for root certificates.
License#
ISC