cURL is showing certificate error when accessing HTTPS site
search cancel

cURL is showing certificate error when accessing HTTPS site


Article ID: 171331


Updated On:


Cloud Secure Web Gateway - Cloud SWG


You are using the application cURL to send or retrieve files and web pages from a secured (HTTPS) site but it's failing to establish a connection and showing certificate errors.

Example of error message with cURL for Windows

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here:

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.


  • Windows
  • Ubuntu (Linux)

(Please note that a Linux OS can only be protected via IPSec tunnel or Proxy Forwarding access methods).


This issue is caused by one of the following reasons:

  • The Cloud SWG root certificate has not been added to Windows certificate store or Linux ca-certificates store.
  • cURL has not been properly installed or set up to identify trusted certificates in the OS' store
    • In Windows, you will need to use a special version or cURL that uses Secure Channel (WinSSL) or specify the certificate everytime you run the program
  • Certificate is not specified when running the cURL command


Add the Cloud SWG root certificate to the your operating system store:



  1. Create a directory for extra CA certificates in /usr/share/ca-certificates:

    sudo mkdir /usr/share/ca-certificates/extra
  2. Copy the CertEmulationCA.crt file to this directory:

    sudo cp CertEmulationCA.crt /usr/share/ca-certificates/extra/CertEmulationCA.crt
  3. Update ca-certificates configuration to include the recently imported certificate.

    sudo dpkg-reconfigure ca-certificates

Alternatively, you can instruct cURL to use the certificate when running the command:

curl --cacert c:\temp\CertEmulationCA.crt