Adding SSL certificates to Google Chrome Linux (Ubuntu)
Posted by Peter in MiscellaneousGoogle Chrome in Linux doesn’t have a SSL certificate manager, it relies on the NSS Shared DB. In order to add SSL certificates to the database you will have to use the command line. I will explain how you can add the CAcert certificates and a very easy way to add self-signed certificates.
You will have to install some tools first:
sudo apt-get install libnss3-tools sudo apt-get install curl
Adding CAcert certificates
Lets start with adding the CAcert certificates, this will help with a lot of sites
curl -k -o "cacert-root.crt" "http://www.cacert.org/certs/root.crt" curl -k -o "cacert-class3.crt" "http://www.cacert.org/certs/class3.crt" certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt
Adding self-signed certficates
There are certain sites that use self-signed certificates and you need to add them individually to the database and there are two options to do this:
Using Firefox
You can use Firefox to look at the certificate and then export the certificate to a file. This file can be used to import the certificate into the DB.
Let’s say you export the file as a.pem now you can import this file
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "A Name" -i a.pem
Even though this works, it’s quiet cumbersome and there is a better way
Using my little script
I have created a little script that will retrieve the certificate and imports it into the DB.
Create a file, lets call it import-cert.sh and the contents of the file is as follows:
#!/bin/sh # # usage: import-cert.sh remote.host.name [port] # REMHOST=$1 REMPORT=${2:-443} exec 6>&1 exec > $REMHOST echo | openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "$REMHOST" -i $REMHOST exec 1>&6 6>&-
Make sure the script is executable.
To add a certificate from a site you type the following:
import-cert.sh dirae.lunarservers.com 2083In this case it uses port 2083 instead of the default port 443. If it’s the default port you don’t have to include the port.
To see which certificates are included your database:
certutil -L -d sql:$HOME/.pki/nssdb
And should you want to delete a certificate
certutil -D -n <the name> -d sql:$HOME/.pki/nssdb
I hope this solves a lot of frustrations about big red screens when accessing secure websites.
Entries (RSS)
Hi
I tried the above
when i visit my own webserver at 127.0.0.1 but I still get the warning.
In firefox it just works and no warnings.
Hi
I also tried with 192.168.1.103 instead of 127.0.0.1
certutil -L -d sql:$HOME/.pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
192.168.1.103 CT,,
but still the nasty red warning
What warning do you get?
The site’s security certificate is not trusted!
You attempted to reach 127.0.0.1, but the server presented a certificate issued by an entity that is not trusted by your computer’s operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.
i run 4.0.295.0 for linux
in firefox on the same computer it works fine
but firefox is just slower than chrome
Moving the discussion to the forum as that’s an easier place to go back and forth.
http://forums.avirtualhome.com/viewtopic.php?f=21&t=216
Excellent! Works like a charm, thak you.
Thanks. Very useful info