Internal package mirrors, staging APIs, and lab download servers often use a private certificate authority instead of the public web PKI. Pointing wget at the correct CA .crt file keeps HTTPS verification enabled for those systems and avoids the unsafe habit of disabling certificate checks just to make one download work.
GNU wget verifies the server certificate against its normal trust store unless --ca-certificate or the matching ca_certificate startup directive is set. The file passed to --ca-certificate must be a PEM-encoded CA certificate or bundle, while --ca-directory is the better fit only when a full hashed CA directory already exists.
Trust changes should stay explicit and local to the account or job that needs them. Verify the certificate fingerprint before relying on it, test the target endpoint with an explicit command first, and only then promote the same path into ~/.wgetrc for repeated use.
Related: How to use client certificates with wget
Related: How to configure default options in ~/.wgetrc
Related: How to debug wget connections
Steps to configure wget to trust a custom CA CRT file:
- Place the private CA file in a directory that is private to the account running wget.
$ install -d -m 700 "$HOME/.local/share/wget/ca" $ install -m 600 ops-download-root-ca.crt "$HOME/.local/share/wget/ca/ops-download-root-ca.crt" $ ls -l "$HOME/.local/share/wget/ca/ops-download-root-ca.crt" -rw------- 1 deploy deploy 1359 Mar 29 09:18 /home/deploy/.local/share/wget/ca/ops-download-root-ca.crt
The file can still use a .crt extension as long as the contents are PEM encoded. Convert it first if it arrives in another format.
- Inspect the certificate metadata and fingerprint before trusting it for live downloads.
$ openssl x509 -in "$HOME/.local/share/wget/ca/ops-download-root-ca.crt" -noout -subject -issuer -enddate -fingerprint -sha256 subject=CN=Example Operations Download Root CA, O=Example Operations, OU=Artifact Delivery issuer=CN=Example Operations Download Root CA, O=Example Operations, OU=Artifact Delivery notAfter=Mar 26 01:18:12 2036 GMT sha256 Fingerprint=06:55:9D:59:6B:25:9C:BF:5E:84:77:0F:91:5B:54:CD:75:FA:6B:97:1D:BE:F0:5C:B2:CE:1D:9C:2E:41:50:19
Match the fingerprint against an out-of-band PKI record before allowing the file to validate production or internal traffic.
- Reproduce the trust failure once without the custom CA so the problem is clearly isolated to certificate validation.
$ wget --spider https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Spider mode enabled. Check if remote file exists. --2026-03-29 09:19:11-- https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Resolving downloads.ops.example.net (downloads.ops.example.net)... 198.51.100.24 Connecting to downloads.ops.example.net (downloads.ops.example.net)|198.51.100.24|:443... connected. ERROR: cannot verify downloads.ops.example.net's certificate, issued by 'OU=Artifact Delivery,O=Example Operations,CN=Example Operations Download Root CA': Unable to locally verify the issuer's authority. To connect to downloads.ops.example.net insecurely, use '--no-check-certificate'.
Capturing the baseline failure first prevents later DNS, routing, or HTTP problems from being misread as a trust-store issue.
- Retry the same request with --ca-certificate and confirm that the server now verifies cleanly.
$ wget --spider \ --ca-certificate="$HOME/.local/share/wget/ca/ops-download-root-ca.crt" \ https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Spider mode enabled. Check if remote file exists. --2026-03-29 09:19:11-- https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Resolving downloads.ops.example.net (downloads.ops.example.net)... 198.51.100.24 Connecting to downloads.ops.example.net (downloads.ops.example.net)|198.51.100.24|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1048576 (1.0M) [application/gzip] Remote file exists.
Using spider mode proves that the CA file works before a larger payload is downloaded.
- Preview the persistent behavior with a temporary startup file before editing the real profile.
$ printf 'ca_certificate = %s\n' "$HOME/.local/share/wget/ca/ops-download-root-ca.crt" > ca-test.wgetrc $ WGETRC="$PWD/ca-test.wgetrc" wget --spider https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Spider mode enabled. Check if remote file exists. --2026-03-29 09:19:11-- https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Resolving downloads.ops.example.net (downloads.ops.example.net)... 198.51.100.24 Connecting to downloads.ops.example.net (downloads.ops.example.net)|198.51.100.24|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1048576 (1.0M) [application/gzip] Remote file exists.
This preview confirms that the startup-file directive is being read before the account-wide config is changed.
- Persist the CA path in ~/.wgetrc only after the explicit test succeeds.
$ printf '\nca_certificate = %s\n' "$HOME/.local/share/wget/ca/ops-download-root-ca.crt" >> "$HOME/.wgetrc" $ grep -n '^ca_certificate' "$HOME/.wgetrc" | tail -n 1 15:ca_certificate = /home/deploy/.local/share/wget/ca/ops-download-root-ca.crt
- Re-run the request without --ca-certificate and confirm that the account default now covers the endpoint.
$ wget https://downloads.ops.example.net/packages/agent-2026.03.tar.gz --2026-03-29 09:19:29-- https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Resolving downloads.ops.example.net (downloads.ops.example.net)... 198.51.100.24 Connecting to downloads.ops.example.net (downloads.ops.example.net)|198.51.100.24|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1048576 (1.0M) [application/gzip] Saving to: 'agent-2026.03.tar.gz' 0K ...................................................... 100% 14.8M=0.07s 2026-03-29 09:19:29 (14.8 MB/s) - 'agent-2026.03.tar.gz' saved [1048576/1048576]A successful transfer without the explicit flag confirms that the custom CA path is active for future commands run by the same account.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
