Google Chrome in Linux doesn’t have a SSL certificate manager, it relies on the NSS Shared DB. In order to add SSL certificates to the database you will have to use the command line. I will explain how you can add the CAcert certificates and a very easy way to add self-signed certificates.
You will have to install some tools first:
sudo apt-get install libnss3-tools sudo apt-get install curl
Adding CAcert certificates
Lets start with adding the CAcert certificates, this will help with a lot of sites
curl -k -o "cacert-root.crt" "http://www.cacert.org/certs/root.crt" curl -k -o "cacert-class3.crt" "http://www.cacert.org/certs/class3.crt" certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt
Adding self-signed certficates
There are certain sites that use self-signed certificates and you need to add them individually to the database and there are two options to do this:
Using Firefox
You can use Firefox to look at the certificate and then export the certificate to a file. This file can be used to import the certificate into the DB.
Let’s say you export the file as a.pem now you can import this file
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "A Name" -i a.pem
Even though this works, it’s quiet cumbersome and there is a better way
Using my little script
I have created a little script that will retrieve the certificate and imports it into the DB.
Create a file, lets call it import-cert.sh and the contents of the file is as follows:
#!/bin/sh # # usage: import-cert.sh remote.host.name [port] # REMHOST=$1 REMPORT=${2:-443} exec 6>&1 exec > $REMHOST echo | openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "$REMHOST" -i $REMHOST exec 1>&6 6>&-
Make sure the script is executable.
To add a certificate from a site you type the following:
import-cert.sh dirae.lunarservers.com 2083In this case it uses port 2083 instead of the default port 443. If it’s the default port you don’t have to include the port.
To see which certificates are included your database:
certutil -L -d sql:$HOME/.pki/nssdb
And should you want to delete a certificate
certutil -D -n <the name> -d sql:$HOME/.pki/nssdb
I hope this solves a lot of frustrations about big red screens when accessing secure websites.
Hi
I tried the above
when i visit my own webserver at 127.0.0.1 but I still get the warning.
In firefox it just works and no warnings.
Hi
I also tried with 192.168.1.103 instead of 127.0.0.1
certutil -L -d sql:$HOME/.pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
192.168.1.103 CT,,
but still the nasty red warning
What warning do you get?
The site’s security certificate is not trusted!
You attempted to reach 127.0.0.1, but the server presented a certificate issued by an entity that is not trusted by your computer’s operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.
i run 4.0.295.0 for linux
in firefox on the same computer it works fine
but firefox is just slower than chrome
Moving the discussion to the forum as that’s an easier place to go back and forth.
http://forums.avirtualhome.com/viewtopic.php?f=21&t=216
Excellent! Works like a charm, thak you.
Thanks. Very useful info
Works fine with openSUSE too. Package for certutil is mozilla-nss-tools however.
Thank you very much. Could you edit the script so certificates are deleted from ~ after execution? I don’t see why they should stay there.
Great script, thanks !
I kept getting the error “bad database”, so I added a few lines to the script to create the database in case it doesn’t already exist:
#!/bin/sh
#
# usage: import-cert.sh remote.host.name [port]
#
if [ ! -e $HOME/.pki/nssdb ]
then
echo “===========================
No Database found. Creating one…
=================================”
mkdir -p $HOME/.pki/nssdb
cd $HOME/.pki/nssdb
certutil -N -d sql:.
fi
REMHOST=$1
REMPORT=${2:-443}
exec 6>&1
exec > $REMHOST
echo | openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’
certutil -d sql
This works great. Thank you for your script! It’s really helpfull
Glad I could help
I tried the scrip out on Kubuntu10.04 and imported certificates from 2 of my servers. One failed as there are certificates at 443 and 10000 but got round this by using server name for one import and servername.domain for the other.
All three certs are listed OK
certutil -L -d sql:$HOME/.pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ipcop CT,,
web CT,,
web.dcmc CT,,
but chromium does not recognise them – any idea why not? Or any idea where to look to find out why not?
Thanks for your help so far (it got me further than any other bit I have read yet)
Ah, sort of half figured it out (by reading the error message properly).
ipcop server browsed to with https://ipcop:445 fails as the server says it is ipcop.dcmc so browsing there with the full name works
web is harder to fix web or web.dcmc (or aliases for specific web sites) calls itself (as far as the certificate is concerned) ebox server so chromium fails to accept the cert
web:10000 says it is called * (really unhelpful) so again it fails
is there any way to convince chromium to accept the certificates?
I couldn’t get my notes in Windows Live Office to accept certificates in linux Chrome until I went to options/under the hood, scroll down to security, check ssl 2.0 and uncheck check for server certificate revocation.