Adding SSL certificates to Google Chrome Linux (Ubuntu)

-

Google Chrome in Linux doesn’t have a SSL certificate manager, it relies on the NSS Shared DB. In order to add SSL certificates to the database you will have to use the command line. I will explain how you can add the CAcert certificates and a very easy way to add self-signed certificates.

You will have to install some tools first:

sudo apt-get install libnss3-tools
sudo apt-get install curl

Adding CAcert certificates

Lets start with adding the CAcert certificates, this will help with a lot of sites

curl -k -o "cacert-root.crt"   "http://www.cacert.org/certs/root.crt"
curl -k -o "cacert-class3.crt" "http://www.cacert.org/certs/class3.crt"
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt 
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt

Adding self-signed certficates

There are certain sites that use self-signed certificates and you need to add them individually to the database and there are two options to do this:

Using Firefox

You can use Firefox to look at the certificate and then export the certificate to a file. This file can be used to import the certificate into the DB.
Let’s say you export the file as a.pem now you can import this file

certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "A Name" -i a.pem

Even though this works, it’s quiet cumbersome and there is a better way

Using my little script

I have created a little script that will retrieve the certificate and imports it into the DB.

Create a file, lets call it import-cert.sh and the contents of the file is as follows:

#!/bin/sh
#
# usage:  import-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
exec 6>&1
exec > $REMHOST
echo | openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "$REMHOST" -i $REMHOST 
exec 1>&6 6>&-

Make sure the script is executable.

To add a certificate from a site you type the following:

import-cert.sh dirae.lunarservers.com 2083

In this case it uses port 2083 instead of the default port 443. If it’s the default port you don’t have to include the port.

To see which certificates are included your database:

certutil -L -d sql:$HOME/.pki/nssdb

And should you want to delete a certificate

certutil -D -n  -d sql:$HOME/.pki/nssdb

I hope this solves a lot of frustrations about big red screens when accessing secure websites.

This article is filed under the category Desktop and has no tags associated with it.
  • ben

    Hi
    I tried the above
    when i visit my own webserver at 127.0.0.1 but I still get the warning.

    In firefox it just works and no warnings.

  • ben

    Hi
    I also tried with 192.168.1.103 instead of 127.0.0.1
    certutil -L -d sql:$HOME/.pki/nssdb

    Certificate Nickname Trust Attributes
    SSL,S/MIME,JAR/XPI

    192.168.1.103 CT,,

    but still the nasty red warning

    • What warning do you get?

  • ben

    The site’s security certificate is not trusted!
    You attempted to reach 127.0.0.1, but the server presented a certificate issued by an entity that is not trusted by your computer’s operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.

    i run 4.0.295.0 for linux
    in firefox on the same computer it works fine
    but firefox is just slower than chrome

  • Moving the discussion to the forum as that’s an easier place to go back and forth.
    http://forums.avirtualhome.com/viewtopic.php?f=21&t=216

  • Martin

    Excellent! Works like a charm, thak you.

  • GK

    Thanks. Very useful info πŸ™‚

  • Works fine with openSUSE too. Package for certutil is mozilla-nss-tools however.

  • zerwas

    Thank you very much. Could you edit the script so certificates are deleted from ~ after execution? I don’t see why they should stay there.

  • G2x

    Great script, thanks !

    I kept getting the error “bad database”, so I added a few lines to the script to create the database in case it doesn’t already exist:

    #!/bin/sh
    #
    # usage: import-cert.sh remote.host.name [port]
    #

    if [ ! -e $HOME/.pki/nssdb ]
    then
    echo “===========================
    No Database found. Creating one…
    =================================”
    mkdir -p $HOME/.pki/nssdb
    cd $HOME/.pki/nssdb
    certutil -N -d sql:.
    fi

    REMHOST=$1
    REMPORT=${2:-443}
    exec 6>&1
    exec > $REMHOST
    echo | openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’
    certutil -d sql

  • Skomli

    This works great. Thank you for your script! It’s really helpfull πŸ™‚

    • Glad I could help

  • Peter

    I tried the scrip out on Kubuntu10.04 and imported certificates from 2 of my servers. One failed as there are certificates at 443 and 10000 but got round this by using server name for one import and servername.domain for the other.
    All three certs are listed OK
    certutil -L -d sql:$HOME/.pki/nssdb

    Certificate Nickname Trust Attributes
    SSL,S/MIME,JAR/XPI

    ipcop CT,,
    web CT,,
    web.dcmc CT,,

    but chromium does not recognise them – any idea why not? Or any idea where to look to find out why not?
    Thanks for your help so far (it got me further than any other bit I have read yet)

  • Peter

    Ah, sort of half figured it out (by reading the error message properly).
    ipcop server browsed to with https://ipcop:445 fails as the server says it is ipcop.dcmc so browsing there with the full name works
    web is harder to fix web or web.dcmc (or aliases for specific web sites) calls itself (as far as the certificate is concerned) ebox server so chromium fails to accept the cert
    web:10000 says it is called * (really unhelpful) so again it fails
    is there any way to convince chromium to accept the certificates?

  • johntm4

    I couldn’t get my notes in Windows Live Office to accept certificates in linux Chrome until I went to options/under the hood, scroll down to security, check ssl 2.0 and uncheck check for server certificate revocation.

  • Works for me, thanks!

    I’ve added few lines (after assigns):

    if [ -z $REMHOST ]
    then
    certutil -L -d sql:$HOME/.pki/nssdb
    exit 0
    fi

    to list registered certificates when no parameter given

  • wdm

    oi! fail! to resolve problem certificate CN field MUST be equal to domain that you are connecting.
    eg.: if you request my.home.address and CN=ipcop this will not work
    CN must be =my.home.address

  • wdm

    oi! another fail! on one server two virtual hosts 1. default.com 2 anothername.com
    whatever you request openssl s_client -connect default.com:443 OR openssl s_client -connect anothername.com:443 RESULT SAME! commands shows default.com sertificate

  • Aymeric

    Thank you for your script : it works fine on Ubuntu 9.10.
    I just hope you will be hired by google to implement this native feature into Chrome πŸ™‚

  • Dave

    Thank you very much for sharing this! It is a great time saver.

  • Seth

    Big thanks for the write-up, this worked like a charm.

  • Ed

    I have tried this script and I cannot seem to get chrome or chromium to recognize my cert. Fedora 13.

    The certificate shows as installed with CT,, Trust attributes.

    The details show up for the certificate, but I am not sure what to look for WRT errors.

    Chrome spits out error code 8179, which is nss error “Peer’s certificate issuer is not recognized.”

  • Dan

    You, sir, are a genius.

    It worked great for my FreeNAS server. I had my self-signed certificate working OK in Windows, but was I stymied after many Linux attempts.

    My client computer runs Chromium browser with a minimal Arch Linux OS. I could not use the import facility provided by Chromium. Probably rightly so, since it rejects my certificate as not from trusted authority.

    Many thanks!

  • etech

    Cannot get this to work in Chrome on ubuntu 10.10. The script runs fine, produces the key file, but after adding it to the “server” section of the certificate manager for Chrome, I still get the not-trusted message.

    • wellyman

      In order Chrome to recognise your site as trusted one you should import self-signed server’s cert to Trusted Root CA in cert manager in Chrome as well and not forget to restart Chrome browser and direct it to your site again.

      • Ed

        I get the same as above on FC 13. I have tried a variety of scrips and utilities with no luck.

        Chrome sucks on this. Why can’t they just have a list of trusted sites / IPs?

      • Thanks for the tip, wellyman! It works!

  • Dilshod

    Thanks. It worked for me too.

  • YADA

    Thanks for the script! Works perfectly πŸ™‚

  • I’m frustrated by how some browsers work wonderfully for some programs but give you trouble for others. Can’t there be one great browser that is perfect for everything???

  • Skarjak

    Executing your script leaves me with the error message:

    certutil: could not obtain certificate from file: Unrecognized Object Identifier.

    Do you know what the problem is?

  • Kudos man, that eases my development a whole lot. πŸ™‚

  • oiram

    Works a treat for me!!! I’m using CAcert certs across all my sites and normally I import both root certs but was not able to work that out in case of Chromium and your solution just made it so simple. Thanks a lot.

  • Patrizio

    Thanks a lot!! It works like a charm…!
    Saver!

  • Diego

    Me getting this certificate is that somehow incorrect need to rework the server?
    verify error:num=$18:self signed certificate

  • zero

    my website is like this https://XXXXX/sso2/Login.jsp

    when i use this script like you sayed,but it didn’t work.
    ——————————————————————————
    root@smartuser-desktop:~# ./import-cert.sh XXXXX 443
    certutil: could not authenticate to token NSS Certificate DB.: An I/O error occurred during security authorization.
    ————————————-
    why not ? can you help me? skype:XXXXX

  • FWIW, this worked great for me but I had to restart Chrome for it to take effect. Thanks!

  • Will

    I tried following the steps but when I try and curl or wget https://squareup.com/ afterwards I still get `Unable to establish SSL connection.`

    I also had some trouble with the curly quotes when pasting the script. Is anyone willing to paste a final working version of the script into something like pastebin and share the link?

  • Matt

    You need to fix the directions for deleting a cert (don’t use angle brackets, or escape them like < &rt;)

  • Volodymyr Krupach

    You are the guru πŸ™‚
    Thank you!

  • Gabriel

    Works on ArchLinux too!
    Great tutorial!

    Cheers

    • Gabriel

      Although the libnss3-tools is just nss (available on [extra]).

  • AndrΓ©

    certutil not available for OpenSUSE.. (TW/Leap)

  • Thank you for this! This information and script are still useful in 2016!

  • sharon

    To add or delete a certificate, the command format is here
    https://wiki.archlinux.org/index.php/Network_Security_Services

download