Google Git
Sign in
chromium / chromium / src.git / ec992a43e7fc9133a4c589da773ea46c552dbe16 / . / docs / linux_cert_management.md
blob: 7af877f18f65d17239fa2dd8a7488a3ab3c512f2 [file] [log] [blame] [view]
andybonsad92aa32015-08-31 02:27:44[diff] [blame]1# Linux Cert Management
andybons3322f762015-08-24 21:37:09[diff] [blame]2
andybonsad92aa32015-08-31 02:27:44[diff] [blame]3The easy way to manage certificates is navigate to chrome://settings/search#ssl.
4Then click on the "Manage Certificates" button. This will load a built-in
5interface for managing certificates.
andybons3322f762015-08-24 21:37:09[diff] [blame]6
andybonsad92aa32015-08-31 02:27:44[diff] [blame]7On Linux, Chromium uses the
8[NSS Shared DB](https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX). If the
9built-in manager does not work for you then you can configure certificates with
10the
11[NSS command line tools](http://www.mozilla.org/projects/security/pki/nss/tools/).
andybons3322f762015-08-24 21:37:09[diff] [blame]12
andybonsad92aa32015-08-31 02:27:44[diff] [blame]13## Details
andybons3322f762015-08-24 21:37:09[diff] [blame]14
andybonsad92aa32015-08-31 02:27:44[diff] [blame]15### Get the tools
andybons3322f762015-08-24 21:37:09[diff] [blame]16
andybonsad92aa32015-08-31 02:27:44[diff] [blame]17* Debian/Ubuntu: `sudo apt-get install libnss3-tools`
18* Fedora: `su -c "yum install nss-tools"`
19* Gentoo: `su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use &&
20 emerge dev-libs/nss"` (You need to launch all commands below with the `nss`
21 prefix, e.g., `nsscertutil`.)
22* Opensuse: `sudo zypper install mozilla-nss-tools`
andybons3322f762015-08-24 21:37:09[diff] [blame]23
andybonsad92aa32015-08-31 02:27:44[diff] [blame]24### List all certificates
andybons3322f762015-08-24 21:37:09[diff] [blame]25
andybonsad92aa32015-08-31 02:27:44[diff] [blame]26 certutil -d sql:$HOME/.pki/nssdb -L
andybons3322f762015-08-24 21:37:09[diff] [blame]27
andybonsad92aa32015-08-31 02:27:44[diff] [blame]28#### Ubuntu Jaunty error
29
andybons3322f762015-08-24 21:37:09[diff] [blame]30Above (and most commands) gives:
31
andybonsad92aa32015-08-31 02:27:44[diff] [blame]32 certutil: function failed: security library: invalid arguments.
andybons3322f762015-08-24 21:37:09[diff] [blame]33
34Package version 3.12.3.1-0ubuntu0.9.04.2
35
andybonsad92aa32015-08-31 02:27:44[diff] [blame]36### List details of a certificate
andybons3322f762015-08-24 21:37:09[diff] [blame]37
andybonsad92aa32015-08-31 02:27:44[diff] [blame]38 certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>
andybons3322f762015-08-24 21:37:09[diff] [blame]39
andybonsad92aa32015-08-31 02:27:44[diff] [blame]40### Add a certificate
andybons3322f762015-08-24 21:37:09[diff] [blame]41
andybonsad92aa32015-08-31 02:27:44[diff] [blame]42```shell
43certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> \
44-i <certificate filename>
45```
andybons3322f762015-08-24 21:37:09[diff] [blame]46
andybonsad92aa32015-08-31 02:27:44[diff] [blame]47The TRUSTARGS are three strings of zero or more alphabetic characters, separated
48by commas. They define how the certificate should be trusted for SSL, email, and
49object signing, and are explained in the
50[certutil docs](http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193)
51or
52[Meena's blog post on trust flags](https://blogs.oracle.com/meena/entry/notes_about_trust_flags).
andybons3322f762015-08-24 21:37:09[diff] [blame]53
andybonsad92aa32015-08-31 02:27:44[diff] [blame]54For example, to trust a root CA certificate for issuing SSL server certificates,
55use
andybons3322f762015-08-24 21:37:09[diff] [blame]56
andybonsad92aa32015-08-31 02:27:44[diff] [blame]57```shell
58certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> \
59-i <certificate filename>
60```
andybons3322f762015-08-24 21:37:09[diff] [blame]61
62To import an intermediate CA certificate, use
63
andybonsad92aa32015-08-31 02:27:44[diff] [blame]64```shell
65certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> \
66-i <certificate filename>
67```
andybons3322f762015-08-24 21:37:09[diff] [blame]68
69Note: to trust a self-signed server certificate, we should use
70
andybonsad92aa32015-08-31 02:27:44[diff] [blame]71```
72certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> \
73-i <certificate filename>
74```
andybons3322f762015-08-24 21:37:09[diff] [blame]75
andybonsad92aa32015-08-31 02:27:44[diff] [blame]76This should work now, because
77[NSS bug 531160](https://bugzilla.mozilla.org/show_bug.cgi?id=531160) is claimed
78to be fixed in a related bug report. If it doesn't work, then to work around
79the NSS bug, you have to trust it as a CA using the "C,," trust flags.
andybons3322f762015-08-24 21:37:09[diff] [blame]80
andybonsad92aa32015-08-31 02:27:44[diff] [blame]81#### Add a personal certificate and private key for SSL client authentication
andybons3322f762015-08-24 21:37:09[diff] [blame]82
83Use the command:
84
andybonsad92aa32015-08-31 02:27:44[diff] [blame]85 pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12
andybons3322f762015-08-24 21:37:09[diff] [blame]86
andybonsad92aa32015-08-31 02:27:44[diff] [blame]87to import a personal certificate and private key stored in a PKCS #12 file. The
88TRUSTARGS of the personal certificate will be set to "u,u,u".
andybons3322f762015-08-24 21:37:09[diff] [blame]89
andybonsad92aa32015-08-31 02:27:44[diff] [blame]90### Delete a certificate
andybons3322f762015-08-24 21:37:09[diff] [blame]91
andybonsad92aa32015-08-31 02:27:44[diff] [blame]92 certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>