Installation and Configuration
What do I need to compile Claws Mail?
- Any POSIX compliant UNIX or similar OS eg. Linux, FreeBSD, Solaris, Mac OS X
- GTK+ 2.16.x or later
- A recent ANSI C compiler (gcc 22.214.171.124 should also work)
Otherwise ./configure will fail.
- for X-Face support
- GnuPG 1.2.1 or later and GPGME 0.4.5 or later
- for GnuPG support (see How do I enable GPG support in Claws Mail?)
- GnuTLS 2.2 or later
- for SSL/TLS support
- libEtPan! 0.57 or later
- for IMAP4 support and NNTP support
- OpenLDAP 2.0.7 or later
- for LDAP support
- Enchant (and dictionaries)
- for spell-checker support
- for J-Pilot support
- for interprocess communication support
- Network Manager
- for support for detection of network connection changes
How to build Claws Mail on Mac OS X?
The steps to build Claws Mail on Mac OS X have been originally posted by Damien Krotkine, on his dedicated page and his former post to his blog. None of them are avaliable anymore. The procedure below is based on his work. There's an additional procedure posted on users list by Stainless Steel Rat.
Compiling against X.org
Installing Claws Mail will require X.org, GTK+ 2.6, and a working POSIX building environment (including the gcc/make toolchain). Let's consider using Fink to install the software requirements on your Mac OS X system.
Install Fink (http://www.finkproject.org/).
Download and unpack the Claws Mail sources.
./configure --prefix=/sw to quickly see what packages are missing, and install them using Fink (
FinkCommander). Some of the required packages are available in unstable only, so you might need to enable unstable packages in the Fink prefs, then do
fink selfupdate scanpackages. You'll need a complete gcc/make toolchain as well as few extra requirements:
xorg (binary) pkgconfig (binary) glib2-dev (compiled from source - we recommend >=2.10 from unstable) gtk+2-dev (compiled from source - must be >=2.6 from unstable)
Getting IMAP support in Claws Mail requires libetpan, but there is no Fink package for it. Darwin ports provide one, but let's compile it from source directly. Get the tarball from the etpan homepage (http://sourceforge.net/projects/libetpan). Unpack it, and compile the sources with:
% ./configure --prefix=/sw && make && sudo make install
If you need SSL support (for IMAP for instance), install openssl-dev, via Fink, but before that, make sure you enable "Use unstable cryptography packages" in the Fink preferences.
You could also enable support for compface, libgnomeprint/libgnomeprintui, aspell, jpilot, gnupg and gpgme (>=1.0.0) by installing the appropriate packages from Fink.
If you want to compile any of the dillo-viewer, spamassassin or bogofilter plugins with Claws Mail 2.9.2, you have to apply this patch: http://www.mollux.org/projects/contrib/claws-mail/patches/pending/claws-mail-osx-build-core-plugins-rev1.diff into the Claws Mail sources directory. SpamAssassin can be installed from
cpan (see http://developer.apple.com/server/fighting_spam.html) or from the sources.
Now configure the sources:
% ./configure --prefix=/sw --disable-trayicon-plugin
./configure runs well, it should output something like this:
claws-mail 2.9.2 JPilot : yes LDAP : yes OpenSSL : yes iconv : yes compface : yes IPv6 : yes GNU/aspell : yes IMAP4 : yes Crash dialog : no Libgnomeprint : yes LibSM : no Manual : yes Plugins : dillo-viewer pgpinline pgpmime pgpcore bogofilter spamassassin Maemo build : no Config dir : .claws-mail The binary will be installed in /sw/bin
Now let's build Claws Mail:
And install it:
% sudo make install
If everything compiled correctly, you should be able to run Claws Mail. You first need to start X: as we've installed the Fink X.org server, you have to run
startx, and now from within a
Most of the extra plugins can be installed: you'd need to download and unpack the extra plugin sources tarball and enter the commands below after entering any of the plugins directories you need.
att_remover attachwarning cachesaver fetchinfo_plugin gtkhtml2_viewer (libgtkhtml2 required) mailmbox notification_plugin pdf_viewer (poppler >=0.5.1 required) perl_plugin smime synce_plugin vcalendar
The following plugins can't be used yet:
acpi_notifier (probably not applicable, plugin doesn't compile anyway) newmail (plugin won't load) rssyl (plugin will crash)
Commands to build and install a plugin:
% ./configure --prefix=/sw && sudo make install
How do I set up Claws Mail?
When you run Claws Mail for the first time, the Installation Wizard will appear and prompt you for the minimum required information necessary to start using Claws Mail in less than 5 minutes.
Why did the creation of the mailbox fail?
Claws Mail reports such an error if it can't create the default mailboxes (inbox, outbox, etc ...). This can be because <homedir>/Mail already contains files with the same names. This occurs when switching from Kmail to Claws Mail, in this case backup and remove the existing Mail directory or use another name for the Claws Mail mail directory.
How do I create a new account?
You can add an account by using the menu item '/Configuration/Create new account'
Why does Claws Mail not delete my mails when I press "delete"? I set a filter, and Claws Mail does not filter. I moved a mail to a different mailbox and it did not move.
You have the configuration option 'Execute immediately when moving or deleting messages' on the /Configuration/Preferences/Display/Summaries page disabled.
Can I set up special addresses/ports for my mailserver / newsserver?
Yes, you can. In the Account preferences, on the 'Advanced' tab you can specify the port addresses that you want to use.
Does Claws Mail have options for threading messages?
Yes. You can switch it on and off in the View Menu, just select "Thread View" or press Ctrl+T. (This only affects the currently selected folder; i.e. it is a folder property.)
Can I create multiple levels of subfolders to store mail?
Absolutely. This is no problem.
1. right-click on an existing folder
2. choose 'Create new folder ...' from the resulting menu
3. type in a name for your new folder (you can check 'inherit properties from parent folder' if you want to do that)
How do I apply a patch after downloading it?
Copy patch to Claws Mail directory Apply the patch:
% patch -p0 < some.patch
Or, if it's gzipped:
% gzip -dc some.patch.gz | patch -p0
./autogen.sh [OPTIONS], then
How do I compile in support for compface pictures?
You have to have a package called libcompface installed, so this is available for compiling into Claws Mail. You can find out more and download it at http://freshmeat.net/projects/compface/ . Also, Tim Jackson has a spec file, which you can use to build an RPM of compface, at http://www.timj.co.uk/linux/rpms.php .
How do I make my own compface image?
You can use the gif2xface.pl script, which converts a 48x48 gif to the format suitable for compface. This script can be found in the 'tools' directory, along with a README. It is also available from this site: http://www.claws-mail.org/tools.php. You can also let Claws Mail create it by itself from a .xbm file.
Or, if that doesn't work.
1. Find/create 48x48 image, png works well.
2. Convert it to pbm without dither (this also makes it black and white: convert -dither image.png image.pbm
3. Convert the pbm to icon: pbmtoicon image.pbm > image.icon
4. Edit the icon file in a text editor. Delete any comment at the beginning, and put the values in colums of three with comma separation like so:
0xfoo, 0xfoo, 0xfoo,
5. The final line shouldn't have a comma ending it
0xfoo, 0xfoo, 0xfoo
6. Make certain there are exactly 48 lines and save.
7. Run compface on it: compface <image.icon> image.xface
8. Then follow the instructions below.
Or you can take the super easy way out and just use this website:
How can I make Claws Mail send my compface image in the mails?
On the Send page of the Account preferences check 'Add user-defined header' and press the 'Edit' button. In the dialogue that appears, add a header named "X-Face" and fill the value field with your face data. Alternatively, you can select a .xbm file in this dialog. Note that if you paste the data from a terminal into the field some spurious newlines can be added, and these can mangle your face, be careful.
How can I make Claws Mail send a colour Face image in the mails?
Face headers contain base64-encoded 48x48 PNG image, and don't have any external dependency at compile-time or at run-time. You'll find more details here: http://quimby.gnus.org/circus/face/
Once you have your .png file that complies to the specs of the Face header (max length 725 bytes), go to the Send page of the Account preferences, check 'Add user-defined header' and press the 'Edit' button. In the dialogue that appears, add a header named "Face" and click the 'From file' button to select your .png file.
Note: there's nothing that prevents you from having both a X-Face (see previous FAQ entry) and a Face header in your mails.
How do I make my own Face image?
For a color face image, a simple command-line use is all that's needed:
home:~$ djpeg my.jpg | ppmnorm | pnmscale -width 48 -height 48 | ppmquant 9 | pnmtopng > my.png
The number after 'ppmquant' can be changed as needed until you have an image that is as close to 725 bytes as possible. It cannot be larger than 725 bytes.
How can I tell my browser/newsclient/other program to use Claws Mail as e-mail program?
In the settings part of the program, use
claws-mail --compose "%t?subject=%s&body=%d"
- Specific options for typical browsers
- Firefox 3
In Firefox go to /Edit/Preferences/Applications. Search for 'mailto'. Under 'Action', select 'Use other...', and locate and select the 'claws-mail' executable, (typically /usr/bin/claws-mail or /usr/local/bin/claws-mail).
- Firefox 2
Enter 'about:config' in the address bar. Add or Edit the following values:
network.protocol-handler.external.mailto : default : boolean : true network.protocol-handler.app.mailto : user set : string : claws-mail
claws-mail --compose mailto:%t?[subject=%s&][body=%m]
claws-mail --compose "mailto:%t?subject=%s&body=%d"
How do I enable GPG support in Claws Mail?
GunPG support requires GnuPG >= 0.4.x and GPGME >= 1.x.x.
Caution: according to some user experience, you might need to install GnuPG 1.x and GPGME 1.x.x in a separate location (isolated from the system ones), and to make sure GPGME is configured to use this specific GnuPG binary (`configure --prefix=/path/to/the/isolated/gpg1 --with-gpg=/path/to/the/isolated/gpg1/bin/gpg`). This is at least the case on RHEL6 and variants (SL6/CentOS6, Fedora 11+, probably RHEL5 and variants too), who come with GnuPG2 only, and where GPGME is configured to use `/usr/bin/gpg2` (see `gpgme-config --get-gpg`)- so it's useless on these systems to install GnuPG 1.x in system paths and to make sure the `gpg` found on the PATH points to the real GnuPG 1 version. Once this is done, GnuPG 1 and system's GnuPG 2 can both work fine with user's .gnupg/ config (GnuPG 1/2 are designed to do so). You'll need to update your environment where PATH and LD_LIBRARY_PATH must point to /path/to/the/isolated/gpg1 subdirectories prior to start `claws-mail`.
You need to load the PGP/Core, PGP/MIME, and PGP/inline plugins. '/Configuration/Plugins/Load plugin'.
Mutt does not recognize Claws Mail's MH structure
For this to work you need to use the
touch command in every MH folder.
touch the file
.xmhcache and Mutt should do just fine.
How can I make Claws Mail notify me when new mail arrives?
Go to '/Configuration/Preferences/Common', on the 'Receive' tab use the settings for 'Run command when new mail arrives'. You can also use the Acpi-notifier (if you have a supported laptop) or the Notification plugin, which are available on the Plugins page.
Can I use a spell checker with Claws Mail?
Install Enchant (with dictionaries) and run
I checked out the sources using git and cant find any configure script. What can I do?
The git versions are meant to be used by developers rather than normal users, so the source (or binary) distributions are easier to use.
- Yeah, but the latest features from git really look sexy...
You need to generate the configure script by running
./autogen.sh. Building from git requires a lot of extra dependencies that the release tarballs don't have.
Running "autogen.sh" gives errormessages that AM_PATH_GDK_PIXBUF or AM_PATH_(whatever) is not found. What can I do?
There are some *.m4 files in the
ac/missing directory. Try to copy them into the
ac directory and run
If there are still some .m4 files not found (e.g. those from Gtk), try to run
% locate m4 | less
% locate aclocal | less
to find additional directories containing those macros. If you find e.g. a "gtk.m4" in "/opt/gnome/share/aclocal", change following line in "autogen.sh" from
aclocal -I ac \
aclocal -I ac -I /opt/gnome/share/aclocal \
and run it again.
I dont want to compile in support for ... any longer, but after running
configure, those libraries are still used. What can I do?
config.cache file and run
configure again. You should also use
make clean to avoid undefined references.
How can I select different applications to open with specific MIME types?
The MIME-type->application associations are kept in
How can I change the suggested mimetype for attachments I am sending?
The extension->MIME-type associations are kept in either
/etc/mime.types, depending on your system.
Right-click an attachment in the compose window's "Attachments" tab, and select Properties to change the MIME-type.
Why is the folder list not updated after I manually moved/copied folders?
You need to update Claws Mail's cache. Right click on the mailbox and choose "Check for new folders".
How can I revert original settings, e.g. for fonts, keybindings, etc.?
Claws Mail keeps its configuration files in
$HOME/.claws-mail/clawsrc and creates default entries, if none are found. So the easiest way is to quit claws-mail, temporarily renaming your
$HOME/.claws-mail e.g. to
*.bak and restarting claws-mail in order to get default entries.
What environment variables have effect on Claws Mail?
- Here are the most common variables
- location of .claws-mail (config directory) and default folder for Mailboxes.
- locale settings, e.g. language and date format.
For a more detailed list see manual page (man claws-mail).
Why are special characters (e.g. umlauts) not displayed correctly?
In most cases, this is caused by emails with broken encodings. You can try to force it using the View/Character Encoding submenu.
How can I convert my old mailbox / addressbook from (some mail client).
If you can export your old mailbox to
mbox format it can be imported directly into Claws Mail. If the mailbox is in
MH format you can use /File/Add Mailbox/MH... If the mailbox is in
mbox format, it can be imported with /File/Import mbox file/...
The Claws Mail addressbook supports direct import from Mutt, Pine, and LDIF and vCard formats, which are standard formats exported by most email clients.
In addition, several scripts are provided on the Claws Mail website to convert various mailbox and addressbook formats.
If your old addressbook only supports CSV export, and it is not supported by the
csv2addressbook.pl script on the website, you can convert it to vCard format using this online tool. Another online tool can convert from vCard to LDIF format.
What configuration files are there, and what are they used for?
The default location for Claws Mail's configuration files is
$HOME/.claws-mail/. (The command '
claws-mail --config-dir' shows the location.) They are in plain text format and quite easy to understand, so don't fear to take a look into them using a text editor.
- main configuration: nearly all options from the settings window, e.g. mailbox location, font entries, etc.
- settings for POP/IMAP/NNTP/local accounts
- user defined actions
- user defined header lines
- headers to display above the mail body
- folder specific settings
- additional folder specific settings, e.g. hiding read messages, sort order, etc.
- filtering, processing and scoring settings
- Key bindings
- contents of your address book (before version 3.1.0 the address book files were kept directly in
What's a good method for printing an e-mail?
Most precompiled packages will use the libgnomeprintui library or more for more recent builds with GTK 2.10.xx the built in GTK 2.10 printing support (which will be the default), which will allow you to print your emails simply with the same interface as Gnome (or GTK) apps. It will be compiled in if you have libgnomeprint-dev and libgnomeprintui-dev packages installed, or have GTK 2.10.xx
If Claws Mail hasn't been compiled with libgnomeprintui or GTK 2.10.xx printing support, you can use enscript. Use
enscript %s to print everything on one page, or
enscript -U2 %s for printing two logical pages on one physical page.
As a more pretty alternative: Use muttprint. The print-command would then look something like this:
muttprint -f %s
Using KDE or gv you also get a "print preview" for free!
muttprint -f %s -p - |kghostview - or
muttprint -f %s -p - |gv - respectively... BTW: muttprint, like enscript, may optionally print two logical pages on one physical page. Just have a look at the docs!
Claws refuses to send mail, and says the queue folder cannot be found
This problem happens for people using only IMAP accounts. Claws Mail requires a queue folder for outgoing mail. If there is none, it will display an error message ("can't find queue folder") and refuse to send mail. This feature prevents loss of messages, in the case Claws Mail would be killed while sending an e-mail, or should there be a network problem. It provides extra security against data loss.
You are advised to create a local folder (/File/Add Mailbox/MH). Outgoing messages will be queued there, and sending will work.
You can also decide not to use a local folder for the queue, and use the IMAP server for this. It is not recommended because Claw Mail's queued messages have a special header that might not be handled correctly by the IMAP server. If you really want to create a queueing folder in an IMAP server, create an ordinary folder in it. Right click on it, select /Properties/, and change /Type/ to be "Queue". (Might be unneeded : Go to /Configuration/Edit accounts/, select your account, click /Edit/, click /Advanced/. On this screen you can tick /Put queued messages in/ and select the folder you have created.)
What is the purpose of this bizarre "Enable Alternate Dictionary" option?
It is useful only if you routinely compose messages that use two or more languages. If this option is enabled, then when you switch to another language, the last one you used is not swapped out from memory, thus, when you switch again to it, there is no delay. Moreover, whenever you use two dictionaries, if you check a word and if the spell checker considers it misspelled in the current language, you can switch to the alternate language and recheck the word in one operation by selecting the "Check with ALTERNATE_LANGUAGE" item (keyboard short-cut: <x>) in the suggestions menu. This is very handy when the message contains paragraphs in two languages.
Why doesn't the spell checker have a more traditional user interface, like KMail, Evolution etc?
Because the developer (Melvin Hadasht) noted that by using the keyboard shortcuts the spell checking can be done faster while typing (more on that below). Moreover, there is the option <Spelling/Check All or Check selection> allows to do a spell checking of the whole text or just a selection. Just keep an eye where the suggestions menu shows up to look at the misspelled word, then hit one of the letters corresponding to the suggestion (<a> through <p>, press also <ALT> to make the selected suggestion listed as the first suggestion the next time you do exactly the same mistake --- this is the "learn by mistake" feature), or hit <r> to type a replacement, or hit <ALT-SPACE> to accept the word in the current message, or hit <ALT-RETURN> to accept the word and to add it definitively to your personal dictionary associated to this language. If you have enabled the "Alternate Dictionary", you can switch to it by hitting <x>.
If you prefer checking while you type, just bind the <Spelling/Check backwards misspelled word> and <Spelling/Forward to next misspelled word> to two quick keyboard short cuts. Then, as soon as you mistype a word, call the <Check backwards...> short-cut ---you do not need to move the cursor--- and without using the mouse select the suggestion. As Enchant does a good job at suggesting a replacement, you will often end to type <a>, and as the cursor did not move, just continue typing. In contrast, the other option, <Forward to next...> does move the cursor. This is because if you have text after the cursor, that also means in general that you are only editing a message, and not writing it, so advancing the cursor to the misspelled word is in general the wanted behaviour.
How do I make Claws Mail the default mail application for KDE?
wget http://www.claws-mail.org/tools/claws-mail-compose.pl mv claws-mail-compose.pl /usr/local/bin chmod +x /usr/local/bin/claws-mail-compose.pl
Then go to the KDE Control Center -> KDE Components -> Component Chooser -> Email Client, choose "Use a different email client" and enter the following into the textbox:
/usr/local/bin/claws-mail-compose.pl --to="%t" --cc="%c" --bcc="%b" --subject="%s" --body="%B" --attach="%A"
If your binary has a name other than "claws-mail", you must append another parameter:
where /usr/bin/claws-mail is the full path to claws-mail on your system.
In case you don't want that perlscript or you can't use it - there is this alternative. But be aware that passing multiple lines or non-standard characters to Claws Mail from an application (e.g. konqueror trying to send form-data via email) will not work!
claws-mail --compose "~mailto:%t?cc=%c&bcc=%b&subject=%s&body=%B" --attach "%A"
Replace "claws-mail" with the actual name of your binary here as well.
Why does Claws Mail tell me that a gpg signature has expired?
The sender used a key with a time limit, you have to update your keyring regularly to receive the updated signatures, e.g. like this:
Note: Most keyservers have problems syncing OpenPGP type keys (see http://keyserver.kjsl.com/~jharris/keyserver.html). It is recommended to switch to SKS keyservers, e.g. subkeys.pgp.net or sks.keyserver.penguin.de .
Why does Claws Mail tell me that there is one unread message in some folders?
If the message count in a folder indicates that you have one unread message but all are marked as read you have to do the following: Right click on toplevel MH folder and use "Check for new messages", or use '/View/Update Summary'
How can I use my free Hotmail, Yahoo, or AOL email account via Claws Mail?
FreePOPs should allow you to create kind of a "bridge" between these proprietary email services and Claws Mail. Simply install FreePOPs, which is probably packaged in your distribution and configure it. After that, you can add an POP3 account to Claws Mail, which receiving server will be
localhost and set the port to use to
2000 in the Advanced tab. The username to use consists of a complete email address, like
firstname.lastname@example.org, so that FreePOP can know which type of account it is. For more information, see FreePOPs' user manual.
Does Claws Mail work with Gmail accounts?
Yes, provided that you have enabled POP or IMAP access in your Gmail account.
all about POP access: http://gmail.google.com/support/bin/topic.py?topic=12805
enabling POP in Gmail: http://gmail.google.com/support/bin/answer.py?answer=13273
configure other email client for POP access: http://mail.google.com/support/bin/answer.py?answer=13287
all about IMAP access: http://gmail.google.com/support/bin/topic.py?topic=12806
enabling IMAP in Gmail: http://gmail.google.com/support/bin/answer.py?answer=77695&topic=13294
configure other email clients for IMAP access: http://mail.google.com/support/bin/answer.py?hl=en&answer=78799
Information about using Claws with Gmail effectively: http://www.claws-mail.org/faq/index.php?title=Using_Claws_with_Gmail
Claws Mail doesn't retrieve emails from my Gmail (POP3) account. Sending messages doesn't work either. What can I do?
Try prefixing your user name, which is usually your email address, with 'recent:' (without the quotes).
Also make sure that under the 'Send' tab of your Claws Mail Account settings , the 'Authenticate with POP3 before sending' option is turned off.
Finally, be aware that if the 'Remove messages on server when received' option is set in the 'Receive' tab of your Claws Mail Account, when you retrieve your messages they will be removed from the Gmail 'All emails' folder and they won't be available anymore from the Gmail web interface.
Can I have different mailboxes for my accounts even though they aren't IMAP or News?
Yes, you can.
Use File -> Add mailbox -> MH
Then in the account preferences on the 'receive' tab set the inbox, on the 'advanced' tab set up the other folders.
How can I permanently delete messages?
When you press the [del] key, the selected messages are moved to the Trash folder. You can, of course, empty the trash at any time by using the Trash folder's contextual menu.
If, however, you want to permanently delete the message without moving it to trash, you have two options:
- Delete menu
- First possibility is to select the /Message/Delete menu item in the main window, (to which you can assign a keyboard shortcut, like [shift+del]), or the message's context menu entry.
- Trash subfolder
- If you systematically want to permanently delete messages from a folder, (for instance, your Junk folder that contains spam messages), you should create that folder as a subfolder of Trash. It will then inherit the behavior of the trash folder, and permanently delete messages when you press [del].
How can I compose email without internet connection (offline)?
If you need to create email in offline (e.g. when you are travelling with your notebook and temporaly have no internet connection), you should do the following steps 1. Create MH mail box (File/Add mailbox) for local storage of messages. 2. At your account preferences, advanced-tab you should override "put queued messages in" and "put queued draft in" with folders of your MH mail box, e.g.
When you compose your messages in offline mode, you should press "send later", to put them into local queue. Entering online you press "send" button in main application screen to actually transmit them.
SSL certificate verification errors.
TL;DR 'No certificate issuer found' during verification likely is caused by unreadable or misconfigured system certificate store.
Claws Mail uses gnutls or openssl libraries to deal with encryption (via libetpan dependency).
Upon connection certificate from the server is always checked for validity. It entails checking whole chain of certificates from CA root certificate, through any intermadiate certificate to the one presented by the mail server. For that chained verification to succeed ssl libraries must read root certificate from a local system store (file or dir).
Location of this certificates store varies significantly from one distro to the other and if root CA certificate is unreadable by an user process (i.e. claws-mail) then verification fails with cryptic error messages shown in 'Certificates change' dialog.
You may see either 'No certificate issuer found' then 'Signature: Uncheckable'.
It usually means that ssl library can not get CA root certificate from the store eg. because store is not readable. It happens that certificates upgrade package sets bad permissions on the store file or dir, so this is first check after seeing aforementioned errors. If the store is readable it MAY signal that you really got slapped with forged certificate or someone allowed intermediate cert to expire.
Below listed are current (2018) locations of system certificate stores:
SUSE: /var/lib/ca-certificates/ca-bundle.pem (file) Debian: /etc/ssl/certs/ and /etc/ssl/certs/ca-certificates.crt
Historical known 'standardized' cert store locations:
/usr/share/ssl/certs/ /usr/share/ssl/ /usr/share/ssl/cert.pem (file) /etc/ssl/certs/ /etc/ssl/certs/ca-bundle.crt (file) /etc/ssl/certs/ca-certificates.crt (file) /etc/pki/tls/certs/ca-bundle.crt (file) /etc/pki/tls/certs/ca-bundle.trust.crt (file) /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /System/Library/OpenSSL/