Google Git
Sign in
chromium / chromium / src.git / 4beff79d07d1d461dcca85ace442dbd949e5b10d / . / docs / linux_cert_management.md
blob: bfc062771049a5a4f264b4681f86d3409c56f10a [file] [log] [blame] [view]
andybonsad92aa32015-08-31 02:27:44[diff] [blame]1# Linux Cert Management
andybons3322f762015-08-24 21:37:09[diff] [blame]2
nodira6074d4c2015-09-01 04:26:45[diff] [blame]3*** note
andybonsad92aa32015-08-31 02:27:44[diff] [blame]4**NOTE:** SSL client authentication with personal certificates does not work
5completely in Linux, see [issue 16830](https://crbug.com/16830) and
6[issue 25241](https://crbug.com/25241).
nodira6074d4c2015-09-01 04:26:45[diff] [blame]7***
andybons3322f762015-08-24 21:37:09[diff] [blame]8
andybonsad92aa32015-08-31 02:27:44[diff] [blame]9The easy way to manage certificates is navigate to chrome://settings/search#ssl.
10Then click on the "Manage Certificates" button. This will load a built-in
11interface for managing certificates.
andybons3322f762015-08-24 21:37:09[diff] [blame]12
andybonsad92aa32015-08-31 02:27:44[diff] [blame]13On Linux, Chromium uses the
14[NSS Shared DB](https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX). If the
15built-in manager does not work for you then you can configure certificates with
16the
17[NSS command line tools](http://www.mozilla.org/projects/security/pki/nss/tools/).
andybons3322f762015-08-24 21:37:09[diff] [blame]18
andybonsad92aa32015-08-31 02:27:44[diff] [blame]19## Details
andybons3322f762015-08-24 21:37:09[diff] [blame]20
andybonsad92aa32015-08-31 02:27:44[diff] [blame]21### Get the tools
andybons3322f762015-08-24 21:37:09[diff] [blame]22
andybonsad92aa32015-08-31 02:27:44[diff] [blame]23* Debian/Ubuntu: `sudo apt-get install libnss3-tools`
24* Fedora: `su -c "yum install nss-tools"`
25* Gentoo: `su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use &&
26 emerge dev-libs/nss"` (You need to launch all commands below with the `nss`
27 prefix, e.g., `nsscertutil`.)
28* Opensuse: `sudo zypper install mozilla-nss-tools`
andybons3322f762015-08-24 21:37:09[diff] [blame]29
andybonsad92aa32015-08-31 02:27:44[diff] [blame]30### List all certificates
andybons3322f762015-08-24 21:37:09[diff] [blame]31
andybonsad92aa32015-08-31 02:27:44[diff] [blame]32 certutil -d sql:$HOME/.pki/nssdb -L
andybons3322f762015-08-24 21:37:09[diff] [blame]33
andybonsad92aa32015-08-31 02:27:44[diff] [blame]34#### Ubuntu Jaunty error
35
andybons3322f762015-08-24 21:37:09[diff] [blame]36Above (and most commands) gives:
37
andybonsad92aa32015-08-31 02:27:44[diff] [blame]38 certutil: function failed: security library: invalid arguments.
andybons3322f762015-08-24 21:37:09[diff] [blame]39
40Package version 3.12.3.1-0ubuntu0.9.04.2
41
andybonsad92aa32015-08-31 02:27:44[diff] [blame]42### List details of a certificate
andybons3322f762015-08-24 21:37:09[diff] [blame]43
andybonsad92aa32015-08-31 02:27:44[diff] [blame]44 certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>
andybons3322f762015-08-24 21:37:09[diff] [blame]45
andybonsad92aa32015-08-31 02:27:44[diff] [blame]46### Add a certificate
andybons3322f762015-08-24 21:37:09[diff] [blame]47
andybonsad92aa32015-08-31 02:27:44[diff] [blame]48```shell
49certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> \
50-i <certificate filename>
51```
andybons3322f762015-08-24 21:37:09[diff] [blame]52
andybonsad92aa32015-08-31 02:27:44[diff] [blame]53The TRUSTARGS are three strings of zero or more alphabetic characters, separated
54by commas. They define how the certificate should be trusted for SSL, email, and
55object signing, and are explained in the
56[certutil docs](http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193)
57or
58[Meena's blog post on trust flags](https://blogs.oracle.com/meena/entry/notes_about_trust_flags).
andybons3322f762015-08-24 21:37:09[diff] [blame]59
andybonsad92aa32015-08-31 02:27:44[diff] [blame]60For example, to trust a root CA certificate for issuing SSL server certificates,
61use
andybons3322f762015-08-24 21:37:09[diff] [blame]62
andybonsad92aa32015-08-31 02:27:44[diff] [blame]63```shell
64certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> \
65-i <certificate filename>
66```
andybons3322f762015-08-24 21:37:09[diff] [blame]67
68To import an intermediate CA certificate, use
69
andybonsad92aa32015-08-31 02:27:44[diff] [blame]70```shell
71certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> \
72-i <certificate filename>
73```
andybons3322f762015-08-24 21:37:09[diff] [blame]74
75Note: to trust a self-signed server certificate, we should use
76
andybonsad92aa32015-08-31 02:27:44[diff] [blame]77```
78certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> \
79-i <certificate filename>
80```
andybons3322f762015-08-24 21:37:09[diff] [blame]81
andybonsad92aa32015-08-31 02:27:44[diff] [blame]82This should work now, because
83[NSS bug 531160](https://bugzilla.mozilla.org/show_bug.cgi?id=531160) is claimed
84to be fixed in a related bug report. If it doesn't work, then to work around
85the NSS bug, you have to trust it as a CA using the "C,," trust flags.
andybons3322f762015-08-24 21:37:09[diff] [blame]86
andybonsad92aa32015-08-31 02:27:44[diff] [blame]87#### Add a personal certificate and private key for SSL client authentication
andybons3322f762015-08-24 21:37:09[diff] [blame]88
89Use the command:
90
andybonsad92aa32015-08-31 02:27:44[diff] [blame]91 pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12
andybons3322f762015-08-24 21:37:09[diff] [blame]92
andybonsad92aa32015-08-31 02:27:44[diff] [blame]93to import a personal certificate and private key stored in a PKCS #12 file. The
94TRUSTARGS of the personal certificate will be set to "u,u,u".
andybons3322f762015-08-24 21:37:09[diff] [blame]95
andybonsad92aa32015-08-31 02:27:44[diff] [blame]96### Delete a certificate
andybons3322f762015-08-24 21:37:09[diff] [blame]97
andybonsad92aa32015-08-31 02:27:44[diff] [blame]98 certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>