Ubuntu chrome browser import self signed certificate

Add your own self signed certificate, perhaps for use with webmail

=Get the (self signed) certificate=

You can get your (self signed) certificate from your site, either via command line below, or click on the crossed out https:// bit in the address bar

Via GUI
Right click in the address bar on the crossed out https://

Go to Certificate Information > Details > Export > BASE64-encoded ascii, single certificate > (choose location to save), append with .pem [www.scaryscary.com.pem] > Close. [File extension isn't really important, it is an ascii formatted cert .crt/.pem style]

Via CLI
$ echo QUIT | openssl s_client -connect www.scaryscary.com:443 | sed -ne '/BEGIN CERT/,/END CERT/p' > /tmp/www.scaryscary.com.pem

should produce this (if remove redirection to stdout,)

$ echo QUIT | openssl s_client -connect www.scaryscary.com:443 | sed -ne '/BEGIN CERT/,/END CERT/p' depth=0 C = AU, ST = Some-State, O = scaryscary, OU = scaryscary, CN = www.scaryscary.com verify error:num=18:self signed certificate verify return:1 depth=0 C = AU, ST = Some-State, O = scaryscary, OU = scaryscary, CN = www.scaryscary.com verify return:1 DONE -BEGIN CERTIFICATE- MIICoDCCAgmgAwIBAgIJAIHkQmJb4C87MA0GCSqGSIb3DQEBBQUAMGkxCzAJBgNV BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMRMwEQYDVQQKDApzY2FyeXNjYXJ5 MRMwEQYDVQQLDApzY2FyeXNjYXJ5MRswGQYDVQQDDBJ3d3cuc2NhcnlzY2FyeS5j b20wHhcNMTIwNTEzMTk0OTEwWhcNMjMwNDI2MTk0OTEwWjBpMQswCQYDVQQGEwJB VTETMBEGA1UECAwKU29tZS1TdGF0ZTETMBEGA1UECgwKc2NhcnlzY2FyeTETMBEG A1UECwwKc2NhcnlzY2FyeTEbMBkGA1UEAwwSd3d3LnNjYXJ5c2NhcnkuY29tMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAy0eHpUyFYALuJ7VDS4wHjpoq4ad1 7Y4iFFQpHXz1KBgV7myCjuJivdLvAy0g7YoNleCCikAPKkX5lusye4XdssyJbgSj MRLLjU0ZKKUQFkFPxntLx7SBdTvwoSGPkg+SpfsHWly3T4cLuZvdQKJ/rQ1j5+gW ctUyGiGirqoDKQIDAQABo1AwTjAdBgNVHQ4EFgQUqiM+6vAhzQMQHnLl4ZlgOfeG EBQwHwYDVR0jBBgwFoAUqiM+6vAhzQMQHnLl4ZlgOfeGEBQwDAYDVR0TBAUwAwEB /zANBgkqhkiG9w0BAQUFAAOBgQC1FSKsxAnx2aHMHPvSWj9zPCqhtnUOcaLgrD8Y 6npcXPfdlKwe0VJWh4ZDXJILkK4Q7Hs+2Togqn3uQKkKfl/4NA6SRQaxHTesgE7S T8EqZq1TtCHoz2xFTaZZMsdZ4vS/qkF6zvfXw5RtD1F+xGdIZMkuHXB501o7IXW/ nLpwDA==

=Add (self signed) certificate=

This can again be done via CLI or GUI in Chrome. you will need to restart Chrome to reflect any changes (both adding or removing the certificate)

Via GUI
Go to Chrome's 'Settings' via the right hand button or this URL in address bar

chrome://chrome/settings/

> Show advanced Settings > Manage certificates > Authorities > Import, browse to the certificate you saved (e.g. www.scaryscary.com.pem) and import

Tick 'trust this Ceritificate for identifying web sites', Ok.

Via CLI
-A Add a certificate to the database

-t trustargs     Set the certificate trust attributes:   C   trusted CA to issue server certs (implies c)

-n cert-name     Specify the nickname of the certificate to add (can be anything)

-i input         Specify the certificate file (default is stdin)


 * Note you MUST have the sql bit, (-d sql:) otherwise it will add it and everything will look ok, but it wont work (and it wont appear in Chrome's certificate list)

$ certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "webmail" -i /tmp/www.scaryscary.com.pem

Check out it is there
$ certutil -L -d $HOME/.pki/nssdb

Certificate Nickname                                        Trust Attributes SSL,S/MIME,JAR/XPI

webmail                                                     C,,

Check actual certificate looks about right
$ certutil -L -d $HOME/.pki/nssdb -n "webmail" Certificate: Data: Version: 3 (0x2) Serial Number: 00:81:e4:42:62:5b:e0:2f:3b Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=www.scaryscary.com,OU=scaryscary,O=scaryscary,ST=Some-Sta           te,C=AU"

You can check it is there by looking here in Chromes GUI;


 * > Show advanced Settings > Manage certificates > Authorities >, it should be now listed here

Once you restart chrome and it works you can delete it form NSS if you wish.

=How not to do it=


 * Dont think Seahorse (Passwords and Keys)/ keyrings, you need to use 'NSS Shared DB' which has no GUI or Chomre's GUI.

Just FYI about importing SSL certs generally....

Have the certificate as base64-ascii (aka .pem or .crt) named something.crt, [it must end .crt]. Save to /usr/local/share/ca-certificates/ e.g. /usr/local/share/ca-certificates/something.crt

sudo update-ca-certificates

Browsing to /etc/ssl/certs you should now see a symlink to the cert in /usr/local/share/

=References=

Google Linux Cert Management

Good intro about certicate types