Anyone running a recent Linux distribution is probably already OK, because they get the curl libraries bundled in through their package managers and recent curl libraries come with the latest CA root certificate bundle from Mozilla.org. This means you can just turn CURLOPT_SSL_VERIFYPEER on and you won’t get any errors.
For a PHP installation that doesn’t come with this file, like the Windows PHP distribution, you need to download the CA root certificate bundle and tell PHP where to find it. Luckily this is really easy. The curl website has the latest CA root certificate bundle ready to go, just download the .pem and save it where your PHP installation can access it.
Then you just need to edit your php.ini file to tell curl where you saved the .pem file. On my Windows test VM, I have several PHP versions under c:\php, so I put the file into that folder and added this line to each php.ini file:
curl.cainfo=c:\php\cacert.pem
For wamp server on windows:
curl.cainfo=C:\wamp64\bin\php\{php version folder}\cacert.pemAfter restarting the web service, curl now has a valid CA root certificate bundle and it can verify the SSL certificates of remote servers just fine. If it does get an error, it’s because the certificate is invalid — and that’s what you want it to do.
Job is done, safely.