Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(97)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: docs/linux_cert_management.md

Issue 1324603002: [Docs] Another round of stylistic fixes. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « docs/linux_building_debug_gtk.md ('k') | docs/linux_chromium_arm.md » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 **NOTE:** SSL client authentication with personal certificates does not work com pletely in Linux, see [issue 16830](http://code.google.com/p/chromium/issues/det ail?id=16830) and [issue 25241](http://code.google.com/p/chromium/issues/detail? id=25241). 1 # Linux Cert Management
2 2
3 # Introduction 3 **NOTE:** SSL client authentication with personal certificates does not work
4 completely in Linux, see [issue 16830](https://crbug.com/16830) and
5 [issue 25241](https://crbug.com/25241).
4 6
5 The easy way to manage certificates is navigate to chrome://settings/search#ssl. Then click on the "Manage Certificates" button. This will load a built-in inter face for managing certificates. 7 The easy way to manage certificates is navigate to chrome://settings/search#ssl.
8 Then click on the "Manage Certificates" button. This will load a built-in
9 interface for managing certificates.
6 10
7 On Linux, Chromium uses the [NSS Shared DB](https://wiki.mozilla.org/NSS_Shared_ DB_And_LINUX). If the built-in manager does not work for you then you can confi gure certificates with the [NSS command line tools](http://www.mozilla.org/proje cts/security/pki/nss/tools/). 11 On Linux, Chromium uses the
12 [NSS Shared DB](https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX). If the
13 built-in manager does not work for you then you can configure certificates with
14 the
15 [NSS command line tools](http://www.mozilla.org/projects/security/pki/nss/tools/ ).
8 16
9 # Details 17 ## Details
10 18
11 ## Get the tools 19 ### Get the tools
12 * Debian/Ubuntu: `sudo apt-get install libnss3-tools`
13 * Fedora: `su -c "yum install nss-tools"`
14 * Gentoo: `su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use && em erge dev-libs/nss"` (You need to launch all commands below with the `nss` prefi x, e.g., `nsscertutil`.)
15 * Opensuse: `sudo zypper install mozilla-nss-tools`
16 20
21 * Debian/Ubuntu: `sudo apt-get install libnss3-tools`
22 * Fedora: `su -c "yum install nss-tools"`
23 * Gentoo: `su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use &&
24 emerge dev-libs/nss"` (You need to launch all commands below with the `nss`
25 prefix, e.g., `nsscertutil`.)
26 * Opensuse: `sudo zypper install mozilla-nss-tools`
17 27
18 ## List all certificates 28 ### List all certificates
19 29
20 `certutil -d sql:$HOME/.pki/nssdb -L` 30 certutil -d sql:$HOME/.pki/nssdb -L
21 31
22 ### Ubuntu Jaunty error 32 #### Ubuntu Jaunty error
33
23 Above (and most commands) gives: 34 Above (and most commands) gives:
24 35
25 `certutil: function failed: security library: invalid arguments.` 36 certutil: function failed: security library: invalid arguments.
26 37
27 Package version 3.12.3.1-0ubuntu0.9.04.2 38 Package version 3.12.3.1-0ubuntu0.9.04.2
28 39
29 ## List details of a certificate 40 ### List details of a certificate
30 41
31 `certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>` 42 certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>
32 43
33 ## Add a certificate 44 ### Add a certificate
34 45
35 `certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> -i <certificate filename>` 46 ```shell
47 certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> \
48 -i <certificate filename>
49 ```
36 50
37 The TRUSTARGS are three strings of zero or more alphabetic 51 The TRUSTARGS are three strings of zero or more alphabetic characters, separated
38 characters, separated by commas. They define how the certificate should be trus ted for SSL, email, and object signing, and are explained in the [certutil docs] (http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193) o r [Meena's blog post on trust flags](https://blogs.oracle.com/meena/entry/notes_ about_trust_flags). 52 by commas. They define how the certificate should be trusted for SSL, email, and
53 object signing, and are explained in the
54 [certutil docs](http://www.mozilla.org/projects/security/pki/nss/tools/certutil. html#1034193)
55 or
56 [Meena's blog post on trust flags](https://blogs.oracle.com/meena/entry/notes_ab out_trust_flags).
39 57
40 For example, to trust a root CA certificate for issuing SSL server certificates, use 58 For example, to trust a root CA certificate for issuing SSL server certificates,
59 use
41 60
42 `certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> -i <cert ificate filename>` 61 ```shell
62 certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> \
63 -i <certificate filename>
64 ```
43 65
44 To import an intermediate CA certificate, use 66 To import an intermediate CA certificate, use
45 67
46 `certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> -i <certi ficate filename>` 68 ```shell
69 certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> \
70 -i <certificate filename>
71 ```
47 72
48 Note: to trust a self-signed server certificate, we should use 73 Note: to trust a self-signed server certificate, we should use
49 74
50 `certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> -i <cert ificate filename>` 75 ```
76 certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> \
77 -i <certificate filename>
78 ```
51 79
52 This should work now, because [NSS bug 531160](https://bugzilla.mozilla.org/show _bug.cgi?id=531160) is claimed to be fixed in a related bug report. If it doesn 't work, then to work around the NSS bug, you have to trust it as a CA using the "C,," trust flags. 80 This should work now, because
81 [NSS bug 531160](https://bugzilla.mozilla.org/show_bug.cgi?id=531160) is claimed
82 to be fixed in a related bug report. If it doesn't work, then to work around
83 the NSS bug, you have to trust it as a CA using the "C,," trust flags.
53 84
54 ### Add a personal certificate and private key for SSL client authentication 85 #### Add a personal certificate and private key for SSL client authentication
55 86
56 Use the command: 87 Use the command:
57 88
58 `pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12` 89 pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12
59 90
60 to import a personal certificate and private key stored in a PKCS #12 file. The TRUSTARGS of the personal certificate will be set to "u,u,u". 91 to import a personal certificate and private key stored in a PKCS #12 file. The
92 TRUSTARGS of the personal certificate will be set to "u,u,u".
61 93
62 ## Delete a certificate 94 ### Delete a certificate
63 95
64 `certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>` 96 certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>
OLDNEW
« no previous file with comments | « docs/linux_building_debug_gtk.md ('k') | docs/linux_chromium_arm.md » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698