Adding SSL certificates to Google Chrome Linux (Ubuntu)

Google Chrome in Linux doesn’t have a SSL certificate manager, it relies on the NSS Shared DB. In order to add SSL certificates to the database you will have to use the command line. I will explain how you can add the CAcert certificates and a very easy way to add self-signed certificates.

You will have to install some tools first:

sudo apt-get install libnss3-tools
sudo apt-get install curl

Adding CAcert certificates

Lets start with adding the CAcert certificates, this will help with a lot of sites

curl -k -o "cacert-root.crt"   "http://www.cacert.org/certs/root.crt"
curl -k -o "cacert-class3.crt" "http://www.cacert.org/certs/class3.crt"
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt

Adding self-signed certificates

There are certain sites that use self-signed certificates and you need to add them individually to the database and there are two options to do this:

Using Firefox

You can use Firefox to look at the certificate and then export the certificate to a file. This file can be used to import the certificate into the DB. Let’s say you export the file as a.pem now you can import this file

certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "A Name" -i a.pem

Even though this works, it’s quiet cumbersome and there is a better way

Using my little script

I have created a little script that will retrieve the certificate and imports it into the DB.

Create a file, lets call it import-cert.sh and the contents of the file is as follows:

#!/bin/sh
#
# usage:  import-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
exec 6>&1
exec > $REMHOST
echo | openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "$REMHOST" -i $REMHOST
exec 1>&6 6>&-

Make sure the script is executable.

To add a certificate from a site you type the following:

import-cert.sh dirae.lunarservers.com 2083
In this case it uses port 2083 instead of the default port 443. If it’s the default port you don’t have to include the port.

To see which certificates are included your database:

certutil -L -d sql:$HOME/.pki/nssdb

And should you want to delete a certificate

certutil -D -n <the name> -d sql:$HOME/.pki/nssdb

I hope this solves a lot of frustrations about big red screens when accessing secure websites.