Google Git
Sign in
chromium / chromium / src.git / 50a99c3450a2531381012bb026d80cb4ce596213 / . / docs / linux_cert_management.md
blob: 7c75acf8ceabdb12ea5427dc319480b2d9108533 [file] [log] [blame] [view]
andybonsad92aa32015-08-31 02:27:44[diff] [blame]1# Linux Cert Management
andybons3322f762015-08-24 21:37:09[diff] [blame]2
andybonsad92aa32015-08-31 02:27:44[diff] [blame]3**NOTE:** SSL client authentication with personal certificates does not work
4completely in Linux, see [issue 16830](https://crbug.com/16830) and
5[issue 25241](https://crbug.com/25241).
andybons3322f762015-08-24 21:37:09[diff] [blame]6
andybonsad92aa32015-08-31 02:27:44[diff] [blame]7The easy way to manage certificates is navigate to chrome://settings/search#ssl.
8Then click on the "Manage Certificates" button. This will load a built-in
9interface for managing certificates.
andybons3322f762015-08-24 21:37:09[diff] [blame]10
andybonsad92aa32015-08-31 02:27:44[diff] [blame]11On Linux, Chromium uses the
12[NSS Shared DB](https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX). If the
13built-in manager does not work for you then you can configure certificates with
14the
15[NSS command line tools](http://www.mozilla.org/projects/security/pki/nss/tools/).
andybons3322f762015-08-24 21:37:09[diff] [blame]16
andybonsad92aa32015-08-31 02:27:44[diff] [blame]17## Details
andybons3322f762015-08-24 21:37:09[diff] [blame]18
andybonsad92aa32015-08-31 02:27:44[diff] [blame]19### Get the tools
andybons3322f762015-08-24 21:37:09[diff] [blame]20
andybonsad92aa32015-08-31 02:27:44[diff] [blame]21* Debian/Ubuntu: `sudo apt-get install libnss3-tools`
22* Fedora: `su -c "yum install nss-tools"`
23* Gentoo: `su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use &&
24 emerge dev-libs/nss"` (You need to launch all commands below with the `nss`
25 prefix, e.g., `nsscertutil`.)
26* Opensuse: `sudo zypper install mozilla-nss-tools`
andybons3322f762015-08-24 21:37:09[diff] [blame]27
andybonsad92aa32015-08-31 02:27:44[diff] [blame]28### List all certificates
andybons3322f762015-08-24 21:37:09[diff] [blame]29
andybonsad92aa32015-08-31 02:27:44[diff] [blame]30 certutil -d sql:$HOME/.pki/nssdb -L
andybons3322f762015-08-24 21:37:09[diff] [blame]31
andybonsad92aa32015-08-31 02:27:44[diff] [blame]32#### Ubuntu Jaunty error
33
andybons3322f762015-08-24 21:37:09[diff] [blame]34Above (and most commands) gives:
35
andybonsad92aa32015-08-31 02:27:44[diff] [blame]36 certutil: function failed: security library: invalid arguments.
andybons3322f762015-08-24 21:37:09[diff] [blame]37
38Package version 3.12.3.1-0ubuntu0.9.04.2
39
andybonsad92aa32015-08-31 02:27:44[diff] [blame]40### List details of a certificate
andybons3322f762015-08-24 21:37:09[diff] [blame]41
andybonsad92aa32015-08-31 02:27:44[diff] [blame]42 certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>
andybons3322f762015-08-24 21:37:09[diff] [blame]43
andybonsad92aa32015-08-31 02:27:44[diff] [blame]44### Add a certificate
andybons3322f762015-08-24 21:37:09[diff] [blame]45
andybonsad92aa32015-08-31 02:27:44[diff] [blame]46```shell
47certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> \
48-i <certificate filename>
49```
andybons3322f762015-08-24 21:37:09[diff] [blame]50
andybonsad92aa32015-08-31 02:27:44[diff] [blame]51The TRUSTARGS are three strings of zero or more alphabetic characters, separated
52by commas. They define how the certificate should be trusted for SSL, email, and
53object signing, and are explained in the
54[certutil docs](http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193)
55or
56[Meena's blog post on trust flags](https://blogs.oracle.com/meena/entry/notes_about_trust_flags).
andybons3322f762015-08-24 21:37:09[diff] [blame]57
andybonsad92aa32015-08-31 02:27:44[diff] [blame]58For example, to trust a root CA certificate for issuing SSL server certificates,
59use
andybons3322f762015-08-24 21:37:09[diff] [blame]60
andybonsad92aa32015-08-31 02:27:44[diff] [blame]61```shell
62certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> \
63-i <certificate filename>
64```
andybons3322f762015-08-24 21:37:09[diff] [blame]65
66To import an intermediate CA certificate, use
67
andybonsad92aa32015-08-31 02:27:44[diff] [blame]68```shell
69certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> \
70-i <certificate filename>
71```
andybons3322f762015-08-24 21:37:09[diff] [blame]72
73Note: to trust a self-signed server certificate, we should use
74
andybonsad92aa32015-08-31 02:27:44[diff] [blame]75```
76certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> \
77-i <certificate filename>
78```
andybons3322f762015-08-24 21:37:09[diff] [blame]79
andybonsad92aa32015-08-31 02:27:44[diff] [blame]80This should work now, because
81[NSS bug 531160](https://bugzilla.mozilla.org/show_bug.cgi?id=531160) is claimed
82to be fixed in a related bug report. If it doesn't work, then to work around
83the NSS bug, you have to trust it as a CA using the "C,," trust flags.
andybons3322f762015-08-24 21:37:09[diff] [blame]84
andybonsad92aa32015-08-31 02:27:44[diff] [blame]85#### Add a personal certificate and private key for SSL client authentication
andybons3322f762015-08-24 21:37:09[diff] [blame]86
87Use the command:
88
andybonsad92aa32015-08-31 02:27:44[diff] [blame]89 pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12
andybons3322f762015-08-24 21:37:09[diff] [blame]90
andybonsad92aa32015-08-31 02:27:44[diff] [blame]91to import a personal certificate and private key stored in a PKCS #12 file. The
92TRUSTARGS of the personal certificate will be set to "u,u,u".
andybons3322f762015-08-24 21:37:09[diff] [blame]93
andybonsad92aa32015-08-31 02:27:44[diff] [blame]94### Delete a certificate
andybons3322f762015-08-24 21:37:09[diff] [blame]95
andybonsad92aa32015-08-31 02:27:44[diff] [blame]96 certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>