28,656 questions
curl: (60) schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 11%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Alessio Marchetti
0
Reputation points
have created a self-signed CA certificate ca.cer and an HTTPS server certificate signed by it. I'm using this curl version on Windows 11:
curl 8.8.0 (Windows) libcurl/8.8.0 Schannel zlib/1.3 WinIDN
Release-Date: 2024-05-22
Protocols: dict file ftp ftps http https imap imaps ipfs ipns mqtt pop3 pop3s smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL SSPI threadsafe Unicode UnixSockets
I run 3 commands, and I can't understand why the first one and the third one fail.
The ca.cer CA self-signed certificate has been added to the Trusted Root Certification Authorities certificates in Windows, using Administrator privileges.
First: being curl built on Schannel this one should succeed because ca.cer was added to Windows Trusted Root Authorities certificate:
C:\> curl --ssl-no-revoke -X POST https://%servername%:%port%
curl: (60) schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT
Second: this one succeeds because I pass ca.cer to --cacert:
C:\>curl --cacert ca.cer --ssl-no-revoke -X POST https://%servername%:%port%
Third: this third command fails as well:
C:\>curl --ca-native --ssl-no-revoke -X POST https://%servername%:%port% curl: (60) schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT
Why does the third command fails? I can see ca.cer among the trusted roots, and have used --ca-native.
Windows for business | Windows Client for IT Pros | User experience | Other
Sign in to answer