PHPackages paragonie/certainty - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. paragonie/certainty ActiveLibrary[Security](/categories/security) paragonie/certainty =================== Up-to-date, verifiable repository for Certificate Authorities v3.0.2(8mo ago)2642.4M—10%18[4 issues](https://github.com/paragonie/certainty/issues)20ISCPHPPHP ^8.3CI failing Since Oct 25Pushed 8mo ago11 watchersCompare [ Source](https://github.com/paragonie/certainty)[ Packagist](https://packagist.org/packages/paragonie/certainty)[ RSS](/packages/paragonie-certainty/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (10)Dependencies (5)Versions (33)Used By (20) Certainty - CA-Cert Automation for PHP Projects =============================================== [](#certainty---ca-cert-automation-for-php-projects) [![Build Status](https://github.com/paragonie/certainty/actions/workflows/ci.yml/badge.svg)](https://github.com/paragonie/certainty/actions)[![Latest Stable Version](https://camo.githubusercontent.com/dea4a8f4d0242bc345e7315c211b416fd4b1a18fd458599617740a41786e5dc2/68747470733a2f2f706f7365722e707567782e6f72672f70617261676f6e69652f6365727461696e74792f762f737461626c65)](https://packagist.org/packages/paragonie/certainty)[![Latest Unstable Version](https://camo.githubusercontent.com/10e3b740951b0bc4528ddaa31f3162ff284b07e6873696689e2ad7e4dcbb6824/68747470733a2f2f706f7365722e707567782e6f72672f70617261676f6e69652f6365727461696e74792f762f756e737461626c65)](https://packagist.org/packages/paragonie/certainty)[![License](https://camo.githubusercontent.com/40a7a63b3d008b5d1c37f83ce8782bed9d92df8cc48c4b08451df6d58713c8e8/68747470733a2f2f706f7365722e707567782e6f72672f70617261676f6e69652f6365727461696e74792f6c6963656e7365)](https://packagist.org/packages/paragonie/certainty)[![Downloads](https://camo.githubusercontent.com/716e7707e9618781f186f555598d8e9dd6cf87a3f5ac045bd9bc1602fff177f2/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f70617261676f6e69652f6365727461696e74792e737667)](https://packagist.org/packages/paragonie/certainty) Automate your PHP projects' cacert.pem management. [Read the blog post introducing Certainty](https://paragonie.com/blog/2017/10/certainty-automated-cacert-pem-management-for-php-software). **Requires PHP 8.3 or newer.**Certainty should work on any operating system (including Windows), although the symlink feature may not function in Virtualbox Shared Folders. Note For PHP < 8.3 support, you can use version [2.x](https://github.com/paragonie/certainty/tree/v2.x) of the library instead of v3+. Who is Certainty meant for? --------------------------- [](#who-is-certainty-meant-for) - Open source developers with no control over where their code is deployed (e.g. Magento module developers). - People whose code might be deployed in weird environments with CACert bundles that are outdated or in unpredictable locations. - People who are generally forced between: 1. Disabling certificate validation entirely, or 2. Increasing their support burden to deal with corner-cases where suddenly HTTP requests are failing on weird systems Certainty allows your software to "just work" (which is usually the motivation for disabling certificate validation) without being vulnerable to man-in-the-middle attacks. ### Motivation [](#motivation) Many HTTP libraries require you to specify a file path to a `cacert.pem` file in order to use TLS correctly. Omitting this file means either disabling certificate validation entirely (which enables trivial man-in-the-middle exploits), connection failures, or hoping that your library falls back safely to the operating system's bundle. In short, the possible outcomes (from best to worst) are as follows: 1. Specify a cacert file, and you get to enjoy TLS as it was intended. (Secure.) 2. Omit a cacert file, and the OS maybe bails you out. (Uncertain.) 3. Omit a cacert file, and it fails closed. (Connection failed. Angry customers.) 4. Omit a cacert file, and it fails open. (Data compromised. Hurt customers. Expensive legal proceedings.) Obviously, the first outcome is optimal. So we built *Certainty* to make it easier to ensure open source projects do this. Installing Certainty -------------------- [](#installing-certainty) From Composer: ``` composer require paragonie/certainty:^3 ``` Certainty will keep certificates up to date via `RemoteFetch`, so you don't need to update Certainty library just to get fresh CA-Cert bundles. Update only for bugfixes (especially security fixes) and new features. ### Non-Supported Use Case: [](#non-supported-use-case) If you are not using [`RemoteFetch`](docs/features/RemoteFetch.md) (which is strongly recommended that you do, and we only provide support for systems that *do* use `RemoteFetch`), then you want to use `dev-master` rather than a version constraint, due to the nature of CA Certificates. If a major CA gets compromised and their certificates are revoked, you don't want to continue trusting these certificates. Furthermore, in the event of avoiding `RemoteFetch`, you should be running `composer update` at least once per week to prevent stale CA-Cert files from causing issues. Using Certainty --------------- [](#using-certainty) See [the documentation](docs/README.md). What Certainty Does ------------------- [](#what-certainty-does) Certainty maintains a repository of all the `cacert.pem` files since 2017, along with a sha256sum and Ed25519 signature of each file. When you request the latest bundle, Certainty will check both these values (the latter can only be signed by a key held by Paragon Initiative Enterprises, LLC) for each entry in the JSON value, and return the latest bundle that passes validation. The cacert.pem files contained within are [reproducible from Mozilla's bundle](https://curl.haxx.se/docs/mk-ca-bundle.html). ### How is Certainty different from composer/ca-bundle? [](#how-is-certainty-different-from-composerca-bundle) The key differences are: - Certainty will keep the CA-Cert bundles on your system up-to-date even if you do not run `composer update`. - We sign our CA-Cert bundles using Ed25519, and check every update into the [PHP community Chronicle](https://php-chronicle.pie-hosted.com). Support Contracts ----------------- [](#support-contracts) If your company uses this library in their products or services, you may be interested in [purchasing a support contract from Paragon Initiative Enterprises](https://paragonie.com/enterprise). ### Health Score 64 — FairBetter than 99% of packages Maintenance61 Regular maintenance activity Popularity59 Moderate usage in the ecosystem Community32 Small or concentrated contributor base Maturity89 Battle-tested with a long release history Bus Factor1 Top contributor holds 91.2% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~96 days Recently: every ~9 days Total 31 Last Release 242d ago Major Versions v0.2.0 → v1.0.02017-11-01 v1.0.4 → v2.0.02018-04-09 v2.9.0 → v3.0.02025-08-13 v2.9.1 → v3.0.12025-08-13 PHP version history (4 changes)v0.1.0PHP ^5.6|^7 v2.1.0PHP ^5.5|^7 v2.6.1PHP ^5.5|^7|^8 v3.0.0PHP ^8.3 ### Community Maintainers ![](https://www.gravatar.com/avatar/05d241256cda885139a5697d3bb536b5cec3b430c1adb9c524bf92a37a55758d?d=identicon)[paragonie-scott](/maintainers/paragonie-scott) --- Top Contributors [![paragonie-security](https://avatars.githubusercontent.com/u/15914520?v=4)](https://github.com/paragonie-security "paragonie-security (186 commits)")[![paragonie-scott](https://avatars.githubusercontent.com/u/11591518?v=4)](https://github.com/paragonie-scott "paragonie-scott (12 commits)")[![andysnell](https://avatars.githubusercontent.com/u/7006523?v=4)](https://github.com/andysnell "andysnell (3 commits)")[![credomane](https://avatars.githubusercontent.com/u/1283031?v=4)](https://github.com/credomane "credomane (1 commits)")[![erikn69](https://avatars.githubusercontent.com/u/4933954?v=4)](https://github.com/erikn69 "erikn69 (1 commits)")[![jacques](https://avatars.githubusercontent.com/u/2543?v=4)](https://github.com/jacques "jacques (1 commits)") --- Tags cacertcert-bundlescertaintycertificatecomposerpem-managementphpsecuritysecurity-toolstlstls-certificatetls-certificatesx509certificatesEd25519tlssslcacertcapkicertificate authorityCA-Certcacert.pemca-cert.pemPublic-Key Infractructure ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/paragonie-certainty/health.svg) ``` [![Health](https://phpackages.com/badges/paragonie-certainty/health.svg)](https://phpackages.com/packages/paragonie-certainty) ``` ### Alternatives [composer/ca-bundle Lets you find a path to the system CA bundle, and includes a fallback to the Mozilla CA bundle. 3.0k346.2M191](/packages/composer-ca-bundle)[paragonie/ciphersweet Searchable field-level encryption library for relational databases 4641.2M21](/packages/paragonie-ciphersweet)[kelunik/acme ACME library written in PHP. 121603.9k3](/packages/kelunik-acme)[simplito/elliptic-php Fast elliptic curve cryptography 2312.2M254](/packages/simplito-elliptic-php)[kelunik/acme-client Let's Encrypt / ACME client written in PHP for the CLI. 3933.9k1](/packages/kelunik-acme-client)[daanra/laravel-lets-encrypt A Laravel package to easily generate SSL certificates using Let's Encrypt 22650.9k](/packages/daanra-laravel-lets-encrypt) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)