Certificate CA bundle file: PEM - PHP/cURL - Local install..?

Question

I'm using Windows Server 2008 R2 (with IIS), PHP 5.6.0 and cURL 7.36.0 to test against PayPal's TLS test URL:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://tlstest.paypal.com');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FAILONERROR, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSLVERSION, 6); // CURL_SSLVERSION_TLSv1_2
curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . '\cacert.pem');
$result = curl_exec($ch);
curl_close($ch);

When I use CURLOPT_CAINFO and cacert.pem from http://curl.haxx.se/docs/caextract.html it works and I get:

PayPal_Connection_OK

When I don't use CURLOPT_CAINFO I get this error:

SSL certificate problem: unable to get local issuer certificate

I've tried this:

1. mmc
2. File > Add/remove snap-in
3. Certificates (Local Computer)
4. Trusted Root Certification Authorities > Certificates
5. All tasks > Import
6. Select cacert.pem
7. Message: "The import was successful"

However this has made no difference, I still have to use CURLOPT_CAINFO for it to work.

Is there any way I can install all these root certificates on our Windows Server so that I don't have to use CURLOPT_CAINFO and cacert.pem with every call I make..?

Answer 1

You can leverage your php.ini to set the absolute path of where the cacert.pem is located.

The directive is curl.cainfo

Set it, or at least read its value and place your file at the right position.

See: http://php.net/manual/en/curl.configuration.php