// the find
bagder/ca-bundle
The Mozilla CA bundle extracted and converted to PEM. This repository functions as a backup to the automated service on the curl web site.
A Git-tracked copy of the Mozilla CA bundle in PEM format, maintained by Daniel Stenberg (the curl author) as a backup to curl.se/docs/caextract.html. If you need a machine-readable CA bundle for a non-standard environment that can't use the system trust store, this is where to grab it.
Maintained by someone who actually understands TLS and certificate infrastructure, so updates track Mozilla NSS closely. Keeping certdata.txt alongside the generated PEM means you can audit exactly which Mozilla source commit produced a given bundle. MPL 2.0 is a permissive license that won't surprise legal teams. The commit-to-source table in the README is genuinely useful for tracing back any certificate change.
This is explicitly a backup — the canonical source is a web page, and this repo may lag behind it. With 157 forks and no automation visible in the repo itself, there's no indication of how quickly updates get pushed after Mozilla changes certdata.txt. If you're baking this into a Docker image or a build pipeline, you're better off fetching from curl.se directly so you always get the latest; pinning a git commit here gives you reproducibility but also lets you silently ship expired or revoked CAs. There's no changelog or release tagging, so auditing 'what changed between our last deploy and this one' means diffing the PEM blob manually.