Google Chrome in Linux doesn’t have a SSL certificate manager, it relies on the NSS Shared DB. In order to add SSL certificates to the database you will have to use the command line. I will explain how you can add the CAcert certificates and a very easy way to add self-signed certificates.
You will have to install some tools first:
sudo apt-get install libnss3-tools
sudo apt-get install curl
Adding CAcert certificates
Lets start with adding the CAcert certificates, this will help with a lot of sites
curl -k -o "cacert-root.crt" "http://www.cacert.org/certs/root.crt"
curl -k -o "cacert-class3.crt" "http://www.cacert.org/certs/class3.crt"
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt
Adding self-signed certficates
There are certain sites that use self-signed certificates and you need to add them individually to the database and there are two options to do this:
Using Firefox
You can use Firefox to look at the certificate and then export the certificate to a file. This file can be used to import the certificate into the DB.
Let’s say you export the file as a.pem now you can import this file
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "A Name" -i a.pem
Even though this works, it’s quiet cumbersome and there is a better way
Using my little script
I have created a little script that will retrieve the certificate and imports it into the DB.
Create a file, lets call it import-cert.sh and the contents of the file is as follows:
#!/bin/sh
#
# usage: import-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
exec 6>&1
exec > $REMHOST
echo | openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "$REMHOST" -i $REMHOST
exec 1>&6 6>&-
Make sure the script is executable.
To add a certificate from a site you type the following:
import-cert.sh dirae.lunarservers.com 2083
In this case it uses port 2083 instead of the default port 443. If it’s the default port you don’t have to include the port.
To see which certificates are included your database:
certutil -L -d sql:$HOME/.pki/nssdb
And should you want to delete a certificate
certutil -D -n -d sql:$HOME/.pki/nssdb
I hope this solves a lot of frustrations about big red screens when accessing secure websites.
Hi
I tried the above
when i visit my own webserver at 127.0.0.1 but I still get the warning.
In firefox it just works and no warnings.
Hi
I also tried with 192.168.1.103 instead of 127.0.0.1
certutil -L -d sql:$HOME/.pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
192.168.1.103 CT,,
but still the nasty red warning
What warning do you get?
The site’s security certificate is not trusted!
You attempted to reach 127.0.0.1, but the server presented a certificate issued by an entity that is not trusted by your computer’s operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.
i run 4.0.295.0 for linux
in firefox on the same computer it works fine
but firefox is just slower than chrome
Moving the discussion to the forum as that’s an easier place to go back and forth.
http://forums.avirtualhome.com/viewtopic.php?f=21&t=216
Excellent! Works like a charm, thak you.
Thanks. Very useful info
Works fine with openSUSE too. Package for certutil is mozilla-nss-tools however.
Thank you very much. Could you edit the script so certificates are deleted from ~ after execution? I don’t see why they should stay there.
Great script, thanks !
I kept getting the error “bad database”, so I added a few lines to the script to create the database in case it doesn’t already exist:
#!/bin/sh
#
# usage: import-cert.sh remote.host.name [port]
#
if [ ! -e $HOME/.pki/nssdb ]
then
echo “===========================
No Database found. Creating one…
=================================”
mkdir -p $HOME/.pki/nssdb
cd $HOME/.pki/nssdb
certutil -N -d sql:.
fi
REMHOST=$1
REMPORT=${2:-443}
exec 6>&1
exec > $REMHOST
echo | openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’
certutil -d sql
This works great. Thank you for your script! It’s really helpfull
Glad I could help
I tried the scrip out on Kubuntu10.04 and imported certificates from 2 of my servers. One failed as there are certificates at 443 and 10000 but got round this by using server name for one import and servername.domain for the other.
All three certs are listed OK
certutil -L -d sql:$HOME/.pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ipcop CT,,
web CT,,
web.dcmc CT,,
but chromium does not recognise them – any idea why not? Or any idea where to look to find out why not?
Thanks for your help so far (it got me further than any other bit I have read yet)
Ah, sort of half figured it out (by reading the error message properly).
ipcop server browsed to with https://ipcop:445 fails as the server says it is ipcop.dcmc so browsing there with the full name works
web is harder to fix web or web.dcmc (or aliases for specific web sites) calls itself (as far as the certificate is concerned) ebox server so chromium fails to accept the cert
web:10000 says it is called * (really unhelpful) so again it fails
is there any way to convince chromium to accept the certificates?
I couldn’t get my notes in Windows Live Office to accept certificates in linux Chrome until I went to options/under the hood, scroll down to security, check ssl 2.0 and uncheck check for server certificate revocation.
Works for me, thanks!
I’ve added few lines (after assigns):
if [ -z $REMHOST ]
then
certutil -L -d sql:$HOME/.pki/nssdb
exit 0
fi
to list registered certificates when no parameter given
oi! fail! to resolve problem certificate CN field MUST be equal to domain that you are connecting.
eg.: if you request my.home.address and CN=ipcop this will not work
CN must be =my.home.address
oi! another fail! on one server two virtual hosts 1. default.com 2 anothername.com
whatever you request openssl s_client -connect default.com:443 OR openssl s_client -connect anothername.com:443 RESULT SAME! commands shows default.com sertificate
Thank you for your script : it works fine on Ubuntu 9.10.
I just hope you will be hired by google to implement this native feature into Chrome
Thank you very much for sharing this! It is a great time saver.
Big thanks for the write-up, this worked like a charm.
I have tried this script and I cannot seem to get chrome or chromium to recognize my cert. Fedora 13.
The certificate shows as installed with CT,, Trust attributes.
The details show up for the certificate, but I am not sure what to look for WRT errors.
Chrome spits out error code 8179, which is nss error “Peer’s certificate issuer is not recognized.”
You, sir, are a genius.
It worked great for my FreeNAS server. I had my self-signed certificate working OK in Windows, but was I stymied after many Linux attempts.
My client computer runs Chromium browser with a minimal Arch Linux OS. I could not use the import facility provided by Chromium. Probably rightly so, since it rejects my certificate as not from trusted authority.
Many thanks!
Cannot get this to work in Chrome on ubuntu 10.10. The script runs fine, produces the key file, but after adding it to the “server” section of the certificate manager for Chrome, I still get the not-trusted message.
In order Chrome to recognise your site as trusted one you should import self-signed server’s cert to Trusted Root CA in cert manager in Chrome as well and not forget to restart Chrome browser and direct it to your site again.
I get the same as above on FC 13. I have tried a variety of scrips and utilities with no luck.
Chrome sucks on this. Why can’t they just have a list of trusted sites / IPs?
Thanks for the tip, wellyman! It works!
Thanks. It worked for me too.
Thanks for the script! Works perfectly
I’m frustrated by how some browsers work wonderfully for some programs but give you trouble for others. Can’t there be one great browser that is perfect for everything???
Executing your script leaves me with the error message:
certutil: could not obtain certificate from file: Unrecognized Object Identifier.
Do you know what the problem is?
Kudos man, that eases my development a whole lot.
Works a treat for me!!! I’m using CAcert certs across all my sites and normally I import both root certs but was not able to work that out in case of Chromium and your solution just made it so simple. Thanks a lot.
Thanks a lot!! It works like a charm…!
Saver!
Me getting this certificate is that somehow incorrect need to rework the server?
verify error:num=$18:self signed certificate
my website is like this https://XXXXX/sso2/Login.jsp
when i use this script like you sayed,but it didn’t work.
——————————————————————————
root@smartuser-desktop:~# ./import-cert.sh XXXXX 443
certutil: could not authenticate to token NSS Certificate DB.: An I/O error occurred during security authorization.
————————————-
why not ? can you help me? skype:XXXXX
FWIW, this worked great for me but I had to restart Chrome for it to take effect. Thanks!
I tried following the steps but when I try and curl or wget https://squareup.com/ afterwards I still get `Unable to establish SSL connection.`
I also had some trouble with the curly quotes when pasting the script. Is anyone willing to paste a final working version of the script into something like pastebin and share the link?
You need to fix the directions for deleting a cert (don’t use angle brackets, or escape them like < &rt;)