OLD | NEW |
(Empty) | |
| 1 **NOTE:** SSL client authentication with personal certificates does not work com
pletely in Linux, see [issue 16830](http://code.google.com/p/chromium/issues/det
ail?id=16830) and [issue 25241](http://code.google.com/p/chromium/issues/detail?
id=25241). |
| 2 |
| 3 # Introduction |
| 4 |
| 5 The easy way to manage certificates is navigate to chrome://settings/search#ssl.
Then click on the "Manage Certificates" button. This will load a built-in inter
face for managing certificates. |
| 6 |
| 7 On Linux, Chromium uses the [NSS Shared DB](https://wiki.mozilla.org/NSS_Shared_
DB_And_LINUX). If the built-in manager does not work for you then you can confi
gure certificates with the [NSS command line tools](http://www.mozilla.org/proje
cts/security/pki/nss/tools/). |
| 8 |
| 9 # Details |
| 10 |
| 11 ## Get the tools |
| 12 * Debian/Ubuntu: `sudo apt-get install libnss3-tools` |
| 13 * Fedora: `su -c "yum install nss-tools"` |
| 14 * Gentoo: `su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use && em
erge dev-libs/nss"` (You need to launch all commands below with the `nss` prefi
x, e.g., `nsscertutil`.) |
| 15 * Opensuse: `sudo zypper install mozilla-nss-tools` |
| 16 |
| 17 |
| 18 ## List all certificates |
| 19 |
| 20 `certutil -d sql:$HOME/.pki/nssdb -L` |
| 21 |
| 22 ### Ubuntu Jaunty error |
| 23 Above (and most commands) gives: |
| 24 |
| 25 `certutil: function failed: security library: invalid arguments.` |
| 26 |
| 27 Package version 3.12.3.1-0ubuntu0.9.04.2 |
| 28 |
| 29 ## List details of a certificate |
| 30 |
| 31 `certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>` |
| 32 |
| 33 ## Add a certificate |
| 34 |
| 35 `certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> -i
<certificate filename>` |
| 36 |
| 37 The TRUSTARGS are three strings of zero or more alphabetic |
| 38 characters, separated by commas. They define how the certificate should be trus
ted for SSL, email, and object signing, and are explained in the [certutil docs]
(http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193) o
r [Meena's blog post on trust flags](https://blogs.oracle.com/meena/entry/notes_
about_trust_flags). |
| 39 |
| 40 For example, to trust a root CA certificate for issuing SSL server certificates,
use |
| 41 |
| 42 `certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> -i <cert
ificate filename>` |
| 43 |
| 44 To import an intermediate CA certificate, use |
| 45 |
| 46 `certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> -i <certi
ficate filename>` |
| 47 |
| 48 Note: to trust a self-signed server certificate, we should use |
| 49 |
| 50 `certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> -i <cert
ificate filename>` |
| 51 |
| 52 This should work now, because [NSS bug 531160](https://bugzilla.mozilla.org/show
_bug.cgi?id=531160) is claimed to be fixed in a related bug report. If it doesn
't work, then to work around the NSS bug, you have to trust it as a CA using the
"C,," trust flags. |
| 53 |
| 54 ### Add a personal certificate and private key for SSL client authentication |
| 55 |
| 56 Use the command: |
| 57 |
| 58 `pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12` |
| 59 |
| 60 to import a personal certificate and private key stored in a PKCS #12 file. The
TRUSTARGS of the personal certificate will be set to "u,u,u". |
| 61 |
| 62 ## Delete a certificate |
| 63 |
| 64 `certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>` |
OLD | NEW |