OLD | NEW |
1 **NOTE:** SSL client authentication with personal certificates does not work com
pletely in Linux, see [issue 16830](http://code.google.com/p/chromium/issues/det
ail?id=16830) and [issue 25241](http://code.google.com/p/chromium/issues/detail?
id=25241). | 1 # Linux Cert Management |
2 | 2 |
3 # Introduction | 3 **NOTE:** SSL client authentication with personal certificates does not work |
| 4 completely in Linux, see [issue 16830](https://crbug.com/16830) and |
| 5 [issue 25241](https://crbug.com/25241). |
4 | 6 |
5 The easy way to manage certificates is navigate to chrome://settings/search#ssl.
Then click on the "Manage Certificates" button. This will load a built-in inter
face for managing certificates. | 7 The easy way to manage certificates is navigate to chrome://settings/search#ssl. |
| 8 Then click on the "Manage Certificates" button. This will load a built-in |
| 9 interface for managing certificates. |
6 | 10 |
7 On Linux, Chromium uses the [NSS Shared DB](https://wiki.mozilla.org/NSS_Shared_
DB_And_LINUX). If the built-in manager does not work for you then you can confi
gure certificates with the [NSS command line tools](http://www.mozilla.org/proje
cts/security/pki/nss/tools/). | 11 On Linux, Chromium uses the |
| 12 [NSS Shared DB](https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX). If the |
| 13 built-in manager does not work for you then you can configure certificates with |
| 14 the |
| 15 [NSS command line tools](http://www.mozilla.org/projects/security/pki/nss/tools/
). |
8 | 16 |
9 # Details | 17 ## Details |
10 | 18 |
11 ## Get the tools | 19 ### Get the tools |
12 * Debian/Ubuntu: `sudo apt-get install libnss3-tools` | |
13 * Fedora: `su -c "yum install nss-tools"` | |
14 * Gentoo: `su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use && em
erge dev-libs/nss"` (You need to launch all commands below with the `nss` prefi
x, e.g., `nsscertutil`.) | |
15 * Opensuse: `sudo zypper install mozilla-nss-tools` | |
16 | 20 |
| 21 * Debian/Ubuntu: `sudo apt-get install libnss3-tools` |
| 22 * Fedora: `su -c "yum install nss-tools"` |
| 23 * Gentoo: `su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use && |
| 24 emerge dev-libs/nss"` (You need to launch all commands below with the `nss` |
| 25 prefix, e.g., `nsscertutil`.) |
| 26 * Opensuse: `sudo zypper install mozilla-nss-tools` |
17 | 27 |
18 ## List all certificates | 28 ### List all certificates |
19 | 29 |
20 `certutil -d sql:$HOME/.pki/nssdb -L` | 30 certutil -d sql:$HOME/.pki/nssdb -L |
21 | 31 |
22 ### Ubuntu Jaunty error | 32 #### Ubuntu Jaunty error |
| 33 |
23 Above (and most commands) gives: | 34 Above (and most commands) gives: |
24 | 35 |
25 `certutil: function failed: security library: invalid arguments.` | 36 certutil: function failed: security library: invalid arguments. |
26 | 37 |
27 Package version 3.12.3.1-0ubuntu0.9.04.2 | 38 Package version 3.12.3.1-0ubuntu0.9.04.2 |
28 | 39 |
29 ## List details of a certificate | 40 ### List details of a certificate |
30 | 41 |
31 `certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>` | 42 certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname> |
32 | 43 |
33 ## Add a certificate | 44 ### Add a certificate |
34 | 45 |
35 `certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> -i
<certificate filename>` | 46 ```shell |
| 47 certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> \ |
| 48 -i <certificate filename> |
| 49 ``` |
36 | 50 |
37 The TRUSTARGS are three strings of zero or more alphabetic | 51 The TRUSTARGS are three strings of zero or more alphabetic characters, separated |
38 characters, separated by commas. They define how the certificate should be trus
ted for SSL, email, and object signing, and are explained in the [certutil docs]
(http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193) o
r [Meena's blog post on trust flags](https://blogs.oracle.com/meena/entry/notes_
about_trust_flags). | 52 by commas. They define how the certificate should be trusted for SSL, email, and |
| 53 object signing, and are explained in the |
| 54 [certutil docs](http://www.mozilla.org/projects/security/pki/nss/tools/certutil.
html#1034193) |
| 55 or |
| 56 [Meena's blog post on trust flags](https://blogs.oracle.com/meena/entry/notes_ab
out_trust_flags). |
39 | 57 |
40 For example, to trust a root CA certificate for issuing SSL server certificates,
use | 58 For example, to trust a root CA certificate for issuing SSL server certificates, |
| 59 use |
41 | 60 |
42 `certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> -i <cert
ificate filename>` | 61 ```shell |
| 62 certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> \ |
| 63 -i <certificate filename> |
| 64 ``` |
43 | 65 |
44 To import an intermediate CA certificate, use | 66 To import an intermediate CA certificate, use |
45 | 67 |
46 `certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> -i <certi
ficate filename>` | 68 ```shell |
| 69 certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> \ |
| 70 -i <certificate filename> |
| 71 ``` |
47 | 72 |
48 Note: to trust a self-signed server certificate, we should use | 73 Note: to trust a self-signed server certificate, we should use |
49 | 74 |
50 `certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> -i <cert
ificate filename>` | 75 ``` |
| 76 certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> \ |
| 77 -i <certificate filename> |
| 78 ``` |
51 | 79 |
52 This should work now, because [NSS bug 531160](https://bugzilla.mozilla.org/show
_bug.cgi?id=531160) is claimed to be fixed in a related bug report. If it doesn
't work, then to work around the NSS bug, you have to trust it as a CA using the
"C,," trust flags. | 80 This should work now, because |
| 81 [NSS bug 531160](https://bugzilla.mozilla.org/show_bug.cgi?id=531160) is claimed |
| 82 to be fixed in a related bug report. If it doesn't work, then to work around |
| 83 the NSS bug, you have to trust it as a CA using the "C,," trust flags. |
53 | 84 |
54 ### Add a personal certificate and private key for SSL client authentication | 85 #### Add a personal certificate and private key for SSL client authentication |
55 | 86 |
56 Use the command: | 87 Use the command: |
57 | 88 |
58 `pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12` | 89 pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12 |
59 | 90 |
60 to import a personal certificate and private key stored in a PKCS #12 file. The
TRUSTARGS of the personal certificate will be set to "u,u,u". | 91 to import a personal certificate and private key stored in a PKCS #12 file. The |
| 92 TRUSTARGS of the personal certificate will be set to "u,u,u". |
61 | 93 |
62 ## Delete a certificate | 94 ### Delete a certificate |
63 | 95 |
64 `certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>` | 96 certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname> |
OLD | NEW |