From the docs:
--cacert (HTTPS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The
certificate(s) must be in PEM format. If this option is used several
times, the last one will be used.
--capath (HTTPS) Tells curl to use the specified certificate directory to verify the peer. The certificates must be in PEM format, and the
directory must have been processed using the c_rehash utility supplied
with openssl. Certificate directories are not supported under Windows
(because c_rehash uses symbolink links to create them). Using --capath
can allow curl to make https connections much more efficiently than
using --cacert if the --cacert file contains many CA certificates. If
this option is used several times, the last one will be used.
So, if you specify --cacert, the CA certs are stored in the specified file. These CA certificates are used to verify the certs of remote servers that cURL connects to.
The --capath option is used to specify a directory containing the CA certs rather than a single file. The c_rehash utility should be used to prepare the directory i.e., create the necessary links. The main benefit of using --capath would appear to be that it's more efficient than the
--cacert single file approach if you have many CA certs.
Here's a script that probably does what c_rehash does:
for file in *.pem; do ln -s $file `openssl x509 -hash -noout -in $file`.0; done
With both options you should be careful to only include CA certs from CAs you trust. If for example, you know the remote servers should always be issued with certs from YourCompanyCA, then this is the only CA cert you should include.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…