Google Git
Sign in
chromium / chromium / src / refs/heads/main / . / docs / linux / cert_management.md
blob: 61900f9b6d2f2374dfb363fc7727235bce8e8327 [file] [log] [blame] [view]
andybonsad92aa32015-08-31 02:27:44[diff] [blame]1# Linux Cert Management
andybons3322f762015-08-24 21:37:09[diff] [blame]2
Raphael Kubo da Costa15d33ef2021-11-18 18:26:02[diff] [blame]3The easy way to manage certificates is navigate to chrome://settings/certificates.
andybonsad92aa32015-08-31 02:27:44[diff] [blame]4Then click on the "Manage Certificates" button. This will load a built-in
5interface for managing certificates.
andybons3322f762015-08-24 21:37:09[diff] [blame]6
andybonsad92aa32015-08-31 02:27:44[diff] [blame]7On Linux, Chromium uses the
8[NSS Shared DB](https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX). If the
9built-in manager does not work for you then you can configure certificates with
10the
11[NSS command line tools](http://www.mozilla.org/projects/security/pki/nss/tools/).
andybons3322f762015-08-24 21:37:09[diff] [blame]12
andybonsad92aa32015-08-31 02:27:44[diff] [blame]13## Details
andybons3322f762015-08-24 21:37:09[diff] [blame]14
andybonsad92aa32015-08-31 02:27:44[diff] [blame]15### Get the tools
andybons3322f762015-08-24 21:37:09[diff] [blame]16
Raphael Kubo da Costa92e0de22022-09-13 16:12:51[diff] [blame]17* Debian/Ubuntu: `sudo apt install libnss3-tools`
18* Fedora: `sudo dnf install nss-tools`
andybonsad92aa32015-08-31 02:27:44[diff] [blame]19* Gentoo: `su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use &&
20 emerge dev-libs/nss"` (You need to launch all commands below with the `nss`
21 prefix, e.g., `nsscertutil`.)
22* Opensuse: `sudo zypper install mozilla-nss-tools`
andybons3322f762015-08-24 21:37:09[diff] [blame]23
andybonsad92aa32015-08-31 02:27:44[diff] [blame]24### List all certificates
andybons3322f762015-08-24 21:37:09[diff] [blame]25
andybonsad92aa32015-08-31 02:27:44[diff] [blame]26 certutil -d sql:$HOME/.pki/nssdb -L
andybons3322f762015-08-24 21:37:09[diff] [blame]27
andybonsad92aa32015-08-31 02:27:44[diff] [blame]28### List details of a certificate
andybons3322f762015-08-24 21:37:09[diff] [blame]29
andybonsad92aa32015-08-31 02:27:44[diff] [blame]30 certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>
andybons3322f762015-08-24 21:37:09[diff] [blame]31
andybonsad92aa32015-08-31 02:27:44[diff] [blame]32### Add a certificate
andybons3322f762015-08-24 21:37:09[diff] [blame]33
andybonsad92aa32015-08-31 02:27:44[diff] [blame]34```shell
35certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> \
36-i <certificate filename>
37```
andybons3322f762015-08-24 21:37:09[diff] [blame]38
andybonsad92aa32015-08-31 02:27:44[diff] [blame]39The TRUSTARGS are three strings of zero or more alphabetic characters, separated
40by commas. They define how the certificate should be trusted for SSL, email, and
41object signing, and are explained in the
Raphael Kubo da Costa92e0de22022-09-13 16:12:51[diff] [blame]42[certutil docs](https://firefox-source-docs.mozilla.org/security/nss/legacy/tools/nss_tools_certutil/index.html)
andybonsad92aa32015-08-31 02:27:44[diff] [blame]43or
Raphael Kubo da Costa92e0de22022-09-13 16:12:51[diff] [blame]44[Meena's blog post on trust flags](https://web.archive.org/web/20131212024426/https://blogs.oracle.com/meena/entry/notes_about_trust_flags).
andybons3322f762015-08-24 21:37:09[diff] [blame]45
andybonsad92aa32015-08-31 02:27:44[diff] [blame]46For example, to trust a root CA certificate for issuing SSL server certificates,
47use
andybons3322f762015-08-24 21:37:09[diff] [blame]48
andybonsad92aa32015-08-31 02:27:44[diff] [blame]49```shell
50certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> \
51-i <certificate filename>
52```
andybons3322f762015-08-24 21:37:09[diff] [blame]53
54To import an intermediate CA certificate, use
55
andybonsad92aa32015-08-31 02:27:44[diff] [blame]56```shell
57certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> \
58-i <certificate filename>
59```
andybons3322f762015-08-24 21:37:09[diff] [blame]60
61Note: to trust a self-signed server certificate, we should use
62
andybonsad92aa32015-08-31 02:27:44[diff] [blame]63```
64certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> \
65-i <certificate filename>
66```
andybons3322f762015-08-24 21:37:09[diff] [blame]67
andybonsad92aa32015-08-31 02:27:44[diff] [blame]68#### Add a personal certificate and private key for SSL client authentication
andybons3322f762015-08-24 21:37:09[diff] [blame]69
70Use the command:
71
andybonsad92aa32015-08-31 02:27:44[diff] [blame]72 pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12
andybons3322f762015-08-24 21:37:09[diff] [blame]73
andybonsad92aa32015-08-31 02:27:44[diff] [blame]74to import a personal certificate and private key stored in a PKCS #12 file. The
75TRUSTARGS of the personal certificate will be set to "u,u,u".
andybons3322f762015-08-24 21:37:09[diff] [blame]76
andybonsad92aa32015-08-31 02:27:44[diff] [blame]77### Delete a certificate
andybons3322f762015-08-24 21:37:09[diff] [blame]78
andybonsad92aa32015-08-31 02:27:44[diff] [blame]79 certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>