curl Commands Reference
Essential curl commands for testing HTTPS connections and inspecting certificates
🌐 Basic HTTP/HTTPS Requests
Simple GET request
curl https://example.comFetches content from the URL and prints to stdout.
Show response headers
curl -I https://example.comFetches headers only (HEAD request). Use -i to include headers with body.
Verbose output (show request/response details)
curl -v https://example.comShows TLS handshake, headers, and connection details. Very useful for debugging.
Follow redirects
curl -L https://example.comAutomatically follows HTTP 3xx redirects to the final destination.
Save response to file
curl -o output.html https://example.comUse -O to use the remote filename.
🔒 Certificate Inspection
View certificate details
curl -vI https://example.com 2>&1 | grep -A 20 "Server certificate"Shows certificate subject, issuer, expiration, and validation info.
Download server certificate
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -out cert.pemWhile this uses OpenSSL, curl can verify the saved certificate with --cacert.
Show certificate expiration date
curl -vI https://example.com 2>&1 | grep "expire date"Extracts the certificate expiration date from the verbose TLS handshake output.
Show full certificate chain details
curl -vI https://example.com 2>&1 | grep -E "(subject|issuer|expire|SSL connection)"Extracts subject, issuer, expiration, and TLS protocol details from the handshake.
Check OCSP stapling status
curl --cert-status -v https://example.com 2>&1 | head -30Requests OCSP stapled response from the server. Fails if no valid stapled response is provided.
Show SSL verification result code
curl -w "SSL Verify: %{ssl_verify_result}\n" -o /dev/null -s https://example.comReturns 0 if certificate verification succeeded. Non-zero values indicate specific OpenSSL verification errors.
Ignore certificate errors (UNSAFE - testing only)
curl -k https://self-signed.badssl.comWarning: Never use -k in production. Only for testing self-signed certificates.
Use custom CA bundle
curl --cacert /path/to/ca-bundle.crt https://example.comValidate server certificate against a specific CA certificate file.
Use CA certificate directory
curl --capath /etc/ssl/certs/ https://example.comUse a directory of CA certificates (hashed with c_rehash) instead of a single bundle file.
Verify against a CRL
curl --crlfile /path/to/crl.pem https://example.comCheck the server certificate against a Certificate Revocation List in PEM format.
🔐 TLS/SSL Configuration
Force TLS 1.2 minimum
curl --tlsv1.2 https://example.comRequire TLS 1.2 as the minimum version. The server may negotiate a higher version (e.g. TLS 1.3).
Force TLS 1.3 only
curl --tlsv1.3 --tls-max 1.3 https://example.comCombining --tlsv1.3 (minimum) with --tls-max 1.3 (maximum) forces exactly TLS 1.3.
Set maximum TLS version
curl --tls-max 1.2 https://example.comCaps the TLS version at 1.2. Useful for testing whether a server supports specific TLS versions.
Show supported TLS versions
curl -V | grep -i tlsShows which TLS versions and SSL library your curl installation supports.
Specify cipher suites (TLS 1.2)
curl --ciphers 'ECDHE-RSA-AES256-GCM-SHA384' https://example.comTest a specific TLS 1.2 cipher suite. Uses OpenSSL cipher string syntax. List available ciphers with openssl ciphers.
Specify TLS 1.3 cipher suites
curl --tls13-ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256' \
https://example.comTLS 1.3 has separate cipher suite configuration. Requires curl 7.61+ built with OpenSSL 1.1.1+.
Use client certificate (mTLS)
curl --cert client.pem --key client-key.pem https://example.comFor mutual TLS authentication where server requires client certificate.
Use client certificate with passphrase
curl --cert client.pem:password --key client-key.pem https://example.comAppend the passphrase after a colon on the cert path. Omit the passphrase to be prompted interactively.
Specify client certificate type
curl --cert-type P12 --cert client.p12:password https://example.comSupported types: PEM (default), DER, P12 (PKCS#12), ENG (crypto engine).
Certificate pinning (public key)
# Pin to a specific SHA-256 public key hash
curl --pinnedpubkey 'sha256//YhKJG3C8RLOHI3eJrEblDjDR3bDcEMPTmETfhQdS0pw=' \
https://example.com
# Pin to a public key file (PEM or DER format)
curl --pinnedpubkey /path/to/pinned-pubkey.pem https://example.comRejects the connection if the server public key does not match the pinned value. Protects against compromised CAs.
Specify SNI hostname (--resolve)
curl --resolve example.com:443:192.0.2.1 https://example.comConnect to specific IP while requesting certificate for hostname. Useful for testing before DNS changes or verifying CDN endpoints.
Connect to alternate host (--connect-to)
curl --connect-to example.com:443:alt-server.example.com:443 \
https://example.comRedirects the connection to a different host and port while keeping the original Host header and SNI. Requires curl 7.49+.
📤 HTTP Methods & Headers
POST request with JSON data
curl -X POST https://api.example.com/endpoint \
-H "Content-Type: application/json" \
-d '{"key":"value"}'POST request with form data
curl -X POST https://example.com/login -d "username=user&password=pass"Add custom headers
curl -H "Authorization: Bearer token123" \
-H "Accept: application/json" \
https://api.example.comPUT request
curl -X PUT https://api.example.com/resource/123 \
-H "Content-Type: application/json" \
-d '{"updated":"data"}'DELETE request
curl -X DELETE https://api.example.com/resource/123Set User-Agent
curl -A "Mozilla/5.0 (Custom Agent)" https://example.com🔑 Authentication
Basic authentication
curl -u username:password https://example.comSends credentials using HTTP Basic Auth. Use -u username to prompt for password.
Bearer token authentication
curl -H "Authorization: Bearer YOUR_TOKEN" https://api.example.comOAuth2 / API Key
curl -H "X-API-Key: YOUR_API_KEY" https://api.example.comDigest authentication
curl --digest -u username:password https://example.comNegotiate (Kerberos/SPNEGO) authentication
curl --negotiate -u : https://example.comUses existing Kerberos ticket. The -u : passes an empty user to trigger the mechanism.
⏱️ Performance & Timing
Show timing breakdown
curl -w "\nDNS: %{time_namelookup}s\nConnect: %{time_connect}s\nTLS: %{time_appconnect}s\nTotal: %{time_total}s\n" \
-o /dev/null -s https://example.comShows time for DNS lookup, TCP connection, TLS handshake, and total request time. The TLS handshake time is time_appconnect - time_connect.
Detailed TLS handshake timing
curl -w "\nDNS: %{time_namelookup}s\nTCP: %{time_connect}s\nTLS: %{time_appconnect}s\nFirst byte: %{time_starttransfer}s\nTotal: %{time_total}s\nTLS ver: %{ssl_version}\n" \
-o /dev/null -s https://example.comExtended timing including first-byte latency and the TLS version negotiated. Useful for benchmarking server TLS performance.
Show HTTP status code
curl -o /dev/null -s -w "%{http_code}\n" https://example.comSet connection timeout
curl --connect-timeout 10 https://example.comTimeout in seconds for connection phase. Use --max-time for total operation timeout.
Limit download speed
curl --limit-rate 100K https://example.com/largefile.zipShow transfer progress
curl -# -o file.zip https://example.com/file.zipShows progress bar instead of default progress meter.
🍪 Cookies & Sessions
Save cookies to file
curl -c cookies.txt https://example.comLoad cookies from file
curl -b cookies.txt https://example.comSend specific cookie
curl -b "session_id=abc123; preferences=dark" https://example.comMaintain session (save and load cookies)
curl -c cookies.txt -b cookies.txt https://example.com/dashboard🚀 HTTP/2 and HTTP/3
Use HTTP/2 (with fallback)
curl --http2 https://example.comAttempts HTTP/2 via ALPN negotiation, falls back to HTTP/1.1 if unsupported.
Require HTTP/2 (no fallback)
curl --http2-prior-knowledge https://example.comSends HTTP/2 directly without upgrade negotiation. Fails if the server does not support HTTP/2.
Use HTTP/3 (QUIC)
curl --http3 https://example.comRequires curl built with HTTP/3 support (nghttp3 + ngtcp2 or quiche). Use --http3-only to require HTTP/3 without fallback.
Check negotiated protocol version
curl -w "Protocol: %{http_version}\n" -o /dev/null -s --http2 https://example.comShows which HTTP version was actually negotiated (1.1, 2, or 3).
⚙️ Advanced Options
Use proxy
curl -x http://proxy.example.com:8080 https://example.comUse SOCKS5 proxy
curl --socks5 localhost:1080 https://example.comResume partial download
curl -C - -O https://example.com/largefile.zipSilent mode (no progress or errors)
curl -s https://example.comUse -sS for silent mode but show errors.
Write out TLS connection variables
curl -w "\nTLS Version: %{ssl_version}\nVerify Result: %{ssl_verify_result}\n" \
-o /dev/null -s https://example.comUses curl write-out variables to extract TLS connection information programmatically.
Trace full network exchange
curl --trace-ascii trace.log https://example.comCaptures the full request/response including TLS handshake bytes in ASCII format. Use --trace for hex output.