ssl - What exactly is cacert.pem for?

Question

In my PayPal Pro payment page I use the cURL function curl_setopt_array() with the following option : cUIn CURLOPT_CAINFO => dirname(FILE) . '/cacert.pem'.

Works fine, however even after some research I don't understand what exactly is cacert.pem for. I don't understand the concept of "verification against" that is mentioned everywhere. And what is the relationship between this file and the .csr/.crt certificate I bought to my provider ?

Answer 1

cacert.pem is a bundle of CA certificates that you use to verify that the server is really the correct site you're talking to (when it presents its certificate in the SSL handshake). The bundle can be used by tools like curl or wget, as well as other TLS/SSL speaking software. The bundle should contain the certificates for the CAs you trust. This bundle is sometimes referred to as the "CA cert store".

Example:

curl --cacert cacert.pem https://example.com

In the curl project, there's a cacert.pem being provided that is converted from the ca certs Mozilla ships for Firefox.

It is done by the use of digital signatures. For the full explanation of what a CA (certificate authority) is, I refer to wikipedia.