How to configure wget to trust a custom CA CRT file

Internal package mirrors, staging APIs, and lab download servers often use a private certificate authority instead of a public web PKI. Pointing wget at the correct CA .crt file keeps TLS verification intact for those endpoints and avoids the insecure habit of disabling certificate checks just to make one transfer work.

GNU wget validates HTTPS peers against its normal trust store unless --ca-certificate or the matching ca_certificate startup directive is set. The CA file must be in PEM format, so a private root or intermediate certificate commonly arrives as a copied .crt file that wget reads directly for verification.

Trust configuration should stay deliberate and local to the account or automation job that needs it. Verify the certificate fingerprint before enabling it, keep the file in a restricted path, and test the endpoint with an explicit --ca-certificate request before turning the same path into a persistent default in ~/.wgetrc.

Related: How to use client certificates with wget
Related: How to configure default options in ~/.wgetrc
Related: How to debug wget connections

Steps to configure wget to trust a custom CA CRT file:

  1. Confirm that the installed wget build exposes the HTTPS CA options before editing any trust settings. 
    $ wget --help | grep -E -- '--ca-certificate=FILE|--ca-directory=DIR'
       --ca-certificate=FILE       file with the bundle of CAs
       --ca-directory=DIR          directory where hash list of CAs is stored

    --ca-certificate is the right fit for one private CA file or bundle; --ca-directory is more useful when a whole hashed certificate directory already exists.

  2. Copy the custom CA .crt file into a private directory owned by the account that runs wget. 
    $ install -d -m 700 "$HOME/.local/share/wget/ca"
$ install -m 600 internal-ca.crt "$HOME/.local/share/wget/ca/internal-ca.crt"
$ ls -l "$HOME/.local/share/wget/ca/internal-ca.crt"
-rw-------  1 user user 1147 Mar 27 06:12 /home/user/.local/share/wget/ca/internal-ca.crt

    If the certificate file is not already in PEM form, convert it first; GNU wget expects the CA file passed to --ca-certificate to be PEM encoded.

  3. Inspect the certificate metadata before trusting it for live downloads. 
    $ openssl x509 -in "$HOME/.local/share/wget/ca/internal-ca.crt" -noout -subject -issuer -enddate -fingerprint -sha256
subject=CN = internal.example CA
issuer=CN = Internal PKI Root
notAfter=Dec 12 06:15:01 2029 GMT
SHA256 Fingerprint=0A:4E:8C:AA:8D:3E:F7:8A:30:EE:65:4D:27:80:F2:40:7B:69:1D:8D:C6:76:32:EB:99:59:2B:A4:52:7F:F1:93

    Confirm the fingerprint against an out-of-band PKI record before trusting the file in automation.

  4. Validate the endpoint with an explicit --ca-certificate request before making the change persistent. 
    $ wget --spider \
  --ca-certificate="$HOME/.local/share/wget/ca/internal-ca.crt" \
  https://repo.internal.example/packages/index.html
Spider mode enabled. Check if remote file exists.
--2026-03-27 06:12:18--  https://repo.internal.example/packages/index.html
Resolving repo.internal.example (repo.internal.example)... 192.0.2.10
Connecting to repo.internal.example (repo.internal.example)|192.0.2.10|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2345 [application/octet-stream]
Remote file exists.

    Testing with --spider exposes trust and host-name errors without downloading the full payload.

  5. Preview the startup-file behavior with a temporary WGETRC file before changing the real profile. 
    $ printf 'ca_certificate = /etc/ssl/cert.pem\n' > temp-wgetrc
$ WGETRC="$PWD/temp-wgetrc" wget --spider https://example.com
Spider mode enabled. Check if remote file exists.
--2026-03-27 06:57:39--  https://example.com/
Resolving example.com (example.com)... 2606:4700::6812:1a78, 2606:4700::6812:1b78, 104.18.27.120, ...
Connecting to example.com (example.com)|2606:4700::6812:1a78|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

    The same startup-file mechanism applies to a private CA path in ~/.wgetrc; this temporary file just proves the directive is being read before the real profile is changed.

  6. Persist the CA path in the user startup file only after the explicit test succeeds. 
    $ printf '\nca_certificate = %s\n' "$HOME/.local/share/wget/ca/internal-ca.crt" >> "$HOME/.wgetrc"
$ grep -n '^ca_certificate' "$HOME/.wgetrc" | tail -n 1
ca_certificate = /home/user/.local/share/wget/ca/internal-ca.crt

    Related: How to configure default options in ~/.wgetrc

  7. Re-run the protected request without --ca-certificate after the persistent setting is in place and confirm the transfer succeeds. 
    $ wget https://repo.internal.example/packages/index.html
--2026-03-27 06:12:45--  https://repo.internal.example/packages/index.html
Resolving repo.internal.example (repo.internal.example)... 192.0.2.10
Connecting to repo.internal.example (repo.internal.example)|192.0.2.10|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1048576 (1.0M) [application/octet-stream]
Saving to: 'index.html'

     0K ...................................................... 100% 14.8M=0.07s

2026-03-27 06:12:45 (14.8 MB/s) - 'index.html' saved [1048576/1048576]

    A successful request without the explicit flag confirms the account-level trust path is now active for future runs.