Ubuntu chrome browser import self signed certificate

From richud.com
Jump to navigation Jump to search

Add your own self signed certificate, perhaps for use with webmail

Get the (self signed) certificate

You can get your (self signed) certificate from your site, either via command line below, or click on the crossed out https:// bit in the address bar

Via GUI

Right click in the address bar on the crossed out https://

Go to Certificate Information > Details > Export > BASE64-encoded ascii, single certificate > (choose location to save), append with .pem [www.scaryscary.com.pem] > Close. [File extension isn't really important, it is an ascii formatted cert .crt/.pem style]

Via CLI

$ echo QUIT | openssl s_client -connect www.scaryscary.com:443 | sed -ne '/BEGIN CERT/,/END CERT/p' > /tmp/www.scaryscary.com.pem

should produce this (if remove redirection to stdout,) 

$ echo QUIT | openssl s_client -connect www.scaryscary.com:443 | sed -ne '/BEGIN CERT/,/END CERT/p'
depth=0 C = AU, ST = Some-State, O = scaryscary, OU = scaryscary, CN = www.scaryscary.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = scaryscary, OU = scaryscary, CN = www.scaryscary.com
verify return:1
DONE
-----BEGIN CERTIFICATE-----
MIICoDCCAgmgAwIBAgIJAIHkQmJb4C87MA0GCSqGSIb3DQEBBQUAMGkxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMRMwEQYDVQQKDApzY2FyeXNjYXJ5
MRMwEQYDVQQLDApzY2FyeXNjYXJ5MRswGQYDVQQDDBJ3d3cuc2NhcnlzY2FyeS5j
b20wHhcNMTIwNTEzMTk0OTEwWhcNMjMwNDI2MTk0OTEwWjBpMQswCQYDVQQGEwJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTETMBEGA1UECgwKc2NhcnlzY2FyeTETMBEG
A1UECwwKc2NhcnlzY2FyeTEbMBkGA1UEAwwSd3d3LnNjYXJ5c2NhcnkuY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAy0eHpUyFYALuJ7VDS4wHjpoq4ad1
7Y4iFFQpHXz1KBgV7myCjuJivdLvAy0g7YoNleCCikAPKkX5lusye4XdssyJbgSj
MRLLjU0ZKKUQFkFPxntLx7SBdTvwoSGPkg+SpfsHWly3T4cLuZvdQKJ/rQ1j5+gW
ctUyGiGirqoDKQIDAQABo1AwTjAdBgNVHQ4EFgQUqiM+6vAhzQMQHnLl4ZlgOfeG
EBQwHwYDVR0jBBgwFoAUqiM+6vAhzQMQHnLl4ZlgOfeGEBQwDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQUFAAOBgQC1FSKsxAnx2aHMHPvSWj9zPCqhtnUOcaLgrD8Y
6npcXPfdlKwe0VJWh4ZDXJILkK4Q7Hs+2Togqn3uQKkKfl/4NA6SRQaxHTesgE7S
T8EqZq1TtCHoz2xFTaZZMsdZ4vS/qkF6zvfXw5RtD1F+xGdIZMkuHXB501o7IXW/
nLpwDA==

Add (self signed) certificate

This can again be done via CLI or GUI in Chrome. you will need to restart Chrome to reflect any changes (both adding or removing the certificate)

Via GUI

Go to Chrome's 'Settings' via the right hand button or this URL in address bar

chrome://chrome/settings/

> Show advanced Settings > Manage certificates > Authorities > Import , browse to the certificate you saved (e.g. www.scaryscary.com.pem) and import

Tick 'trust this Ceritificate for identifying web sites', Ok.

Via CLI

-A Add a certificate to the database

-t trustargs Set the certificate trust attributes: C trusted CA to issue server certs (implies c)

-n cert-name Specify the nickname of the certificate to add (can be anything)

-i input Specify the certificate file (default is stdin)

  • Note you MUST have the sql bit, (-d sql:) otherwise it will add it and everything will look ok, but it wont work (and it wont appear in Chrome's certificate list)
$ certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "webmail" -i /tmp/www.scaryscary.com.pem

Check out it is there

$ certutil -L -d $HOME/.pki/nssdb 

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

webmail                                                      C,,

Check actual certificate looks about right

$ certutil -L -d $HOME/.pki/nssdb -n "webmail"
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            00:81:e4:42:62:5b:e0:2f:3b
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=www.scaryscary.com,OU=scaryscary,O=scaryscary,ST=Some-Sta
            te,C=AU"
<snip>

You can check it is there by looking here in Chromes GUI;

  • > Show advanced Settings > Manage certificates > Authorities > , it should be now listed here

Once you restart chrome and it works you can delete it form NSS if you wish.

How not to do it

  • Dont think Seahorse (Passwords and Keys)/ keyrings , you need to use 'NSS Shared DB' which has no GUI or Chomre's GUI.

Just FYI about importing SSL certs generally....

Have the certificate as base64-ascii (aka .pem or .crt) named something.crt, [it must end .crt] . Save to /usr/local/share/ca-certificates/ e.g. /usr/local/share/ca-certificates/something.crt 

sudo update-ca-certificates

Browsing to /etc/ssl/certs you should now see a symlink to the cert in /usr/local/share/

References

Google Linux Cert Management

Good intro about certicate types

Retrieved from "https://www.richud.com/w/index.php?title=Ubuntu_chrome_browser_import_self_signed_certificate&oldid=2685"