The file ca-bundle.crt contains certificates extracted from Microsoft
Windows.  These are installed and used as the default trusted root
certificates when SSL certificate verification is requested with
--ssl-verify. On some platforms (some Unixes), these certificates are
used in addition to any certificates installed by the operating system.

Microsoft's bundle was preferred over Mozilla's because Microsoft may be
more selective in the organizations it trusts. When this bundle was
created, Microsoft's store had 107 certificates while Mozilla's had 126.
See below for how to use an alternative trust store.

== How to extract the trusted root CA certificates on Windows

These instructions require the openssl command-line utility.

Press "Start", then "Run...". Type "certmgr.msc" and press Enter. Open
the folder "Trusted Root Certification Authorities" and its subfolder
"Certificates". Type Ctrl-A to select all certificates, Right-click on
the list of certificates, and in the context menu, select "All Tasks",
then "Export...".  Export to the file ca-bundle.p7b.

In a Cygwin shell, enter the directory containing ca-bundle.p7b and run
the command
	openssl pkcs7 -in ca-bundle.p7b -inform der -print_certs -out ca-bundle.crt
That will create a file ca-bundle.crt containing all the certificates,
each preceded by its subject and issuer.

== Alternative sources for a certificate bundle

Another commonly used trust store is the one provided by Mozilla. The
cURL package includes a script that automatically creates a suitable PEM
file from a file in Mozilla's source repository. They also provide
ready-made PEM files to download. See http://curl.haxx.se/docs/caextract.html.