Internal package mirrors, staging APIs, and lab download servers often use a private certificate authority instead of the public web PKI. Pointing wget at the correct CA .crt file keeps HTTPS verification enabled and avoids falling back to --no-check-certificate just to make one request work.
GNU wget uses --ca-certificate to load a CA bundle for one command, and ca_certificate is the matching startup-file directive for repeated use. The CA file must be PEM encoded, and --ca-directory is the better fit only when a hashed certificate directory already exists.
Keep the CA file in an account-private location, confirm its fingerprint before first use, and test the endpoint with an explicit command before saving the same path in ~/.wgetrc. If the server rejects HEAD requests, verify with a small real download instead of --spider.
Related: How to use client certificates with wget
Related: How to configure default options in ~/.wgetrc
Related: How to debug wget connections
Steps to configure wget to trust a custom CA CRT file:
- Create a private directory for the custom CA file.
$ install -d -m 700 "$HOME/.local/share/wget/ca"
Use an account-local path when only one job or one account needs the extra CA.
- Copy the CA certificate into that directory with restrictive permissions.
$ install -m 600 ops-download-root-ca.crt "$HOME/.local/share/wget/ca/ops-download-root-ca.crt"
A .crt extension is fine as long as the certificate contents are PEM encoded.
- Inspect the certificate fingerprint and expiry before trusting it for live downloads.
$ openssl x509 -in "$HOME/.local/share/wget/ca/ops-download-root-ca.crt" -noout -subject -issuer -enddate -fingerprint -sha256 subject=CN=Example Operations Download Root CA, O=Example Operations, OU=Artifact Delivery issuer=CN=Example Operations Download Root CA, O=Example Operations, OU=Artifact Delivery notAfter=Mar 26 01:18:12 2036 GMT sha256 Fingerprint=06:55:9D:59:6B:25:9C:BF:5E:84:77:0F:91:5B:54:CD:75:FA:6B:97:1D:BE:F0:5C:B2:CE:1D:9C:2E:41:50:19
Match the fingerprint against an out-of-band PKI record before using the file against internal or production endpoints.
- Reproduce the certificate failure once without the custom CA file.
$ wget --spider https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Spider mode enabled. Check if remote file exists. --2026-03-29 09:19:11-- https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Resolving downloads.ops.example.net (downloads.ops.example.net)... 198.51.100.24 Connecting to downloads.ops.example.net (downloads.ops.example.net)|198.51.100.24|:443... connected. ERROR: cannot verify downloads.ops.example.net's certificate, issued by 'OU=Artifact Delivery,O=Example Operations,CN=Example Operations Download Root CA': Unable to locally verify the issuer's authority. To connect to downloads.ops.example.net insecurely, use '--no-check-certificate'.
A clean baseline failure keeps later DNS, routing, or HTTP problems from being mistaken for a trust-store issue.
- Retry the same request with --ca-certificate and confirm that the endpoint now verifies cleanly.
$ wget --spider --ca-certificate="$HOME/.local/share/wget/ca/ops-download-root-ca.crt" https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Spider mode enabled. Check if remote file exists. --2026-03-29 09:19:11-- https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Resolving downloads.ops.example.net (downloads.ops.example.net)... 198.51.100.24 Connecting to downloads.ops.example.net (downloads.ops.example.net)|198.51.100.24|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1048576 (1.0M) [application/gzip] Remote file exists.
--spider keeps the proof focused on TLS trust without starting the full transfer.
- Put the tested CA path in a preview startup file before changing the real user profile.
wget-ca-preview.wgetrc ca_certificate = /home/deploy/.local/share/wget/ca/ops-download-root-ca.crt
The value should be the real absolute path to the CA file for the account that runs wget.
- Load the preview file and confirm that the same request now works without --ca-certificate.
$ wget --config=wget-ca-preview.wgetrc --spider https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Spider mode enabled. Check if remote file exists. --2026-03-29 09:19:11-- https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Resolving downloads.ops.example.net (downloads.ops.example.net)... 198.51.100.24 Connecting to downloads.ops.example.net (downloads.ops.example.net)|198.51.100.24|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1048576 (1.0M) [application/gzip] Remote file exists.
- Save the same directive in ~/.wgetrc for recurring downloads.
~/.wgetrc ca_certificate = /home/deploy/.local/share/wget/ca/ops-download-root-ca.crt
Keep only the CA path that the account actually needs instead of turning the profile into a catch-all trust override.
- Run a normal download without --ca-certificate and confirm that the transfer succeeds with the saved profile.
$ wget https://downloads.ops.example.net/packages/agent-2026.03.tar.gz --2026-03-29 09:19:29-- https://downloads.ops.example.net/packages/agent-2026.03.tar.gz Resolving downloads.ops.example.net (downloads.ops.example.net)... 198.51.100.24 Connecting to downloads.ops.example.net (downloads.ops.example.net)|198.51.100.24|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1048576 (1.0M) [application/gzip] Saving to: 'agent-2026.03.tar.gz' 0K ...................................................... 100% 14.8M=0.07s 2026-03-29 09:19:29 (14.8 MB/s) - 'agent-2026.03.tar.gz' saved [1048576/1048576]A successful transfer without the flag confirms that the saved ca_certificate setting is active for later wget commands.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
