1# Linux Cert Management 2 3The easy way to manage certificates is navigate to chrome://settings/search#ssl. 4Then click on the "Manage Certificates" button. This will load a built-in 5interface for managing certificates. 6 7On Linux, Chromium uses the 8[NSS Shared DB](https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX). If the 9built-in manager does not work for you then you can configure certificates with 10the 11[NSS command line tools](http://www.mozilla.org/projects/security/pki/nss/tools/). 12 13## Details 14 15### Get the tools 16 17* Debian/Ubuntu: `sudo apt-get install libnss3-tools` 18* Fedora: `su -c "yum install nss-tools"` 19* Gentoo: `su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use && 20 emerge dev-libs/nss"` (You need to launch all commands below with the `nss` 21 prefix, e.g., `nsscertutil`.) 22* Opensuse: `sudo zypper install mozilla-nss-tools` 23 24### List all certificates 25 26 certutil -d sql:$HOME/.pki/nssdb -L 27 28#### Ubuntu Jaunty error 29 30Above (and most commands) gives: 31 32 certutil: function failed: security library: invalid arguments. 33 34Package version 3.12.3.1-0ubuntu0.9.04.2 35 36### List details of a certificate 37 38 certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname> 39 40### Add a certificate 41 42```shell 43certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> \ 44-i <certificate filename> 45``` 46 47The TRUSTARGS are three strings of zero or more alphabetic characters, separated 48by commas. They define how the certificate should be trusted for SSL, email, and 49object signing, and are explained in the 50[certutil docs](http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193) 51or 52[Meena's blog post on trust flags](https://blogs.oracle.com/meena/entry/notes_about_trust_flags). 53 54For example, to trust a root CA certificate for issuing SSL server certificates, 55use 56 57```shell 58certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> \ 59-i <certificate filename> 60``` 61 62To import an intermediate CA certificate, use 63 64```shell 65certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> \ 66-i <certificate filename> 67``` 68 69Note: to trust a self-signed server certificate, we should use 70 71``` 72certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> \ 73-i <certificate filename> 74``` 75 76This should work now, because 77[NSS bug 531160](https://bugzilla.mozilla.org/show_bug.cgi?id=531160) is claimed 78to be fixed in a related bug report. If it doesn't work, then to work around 79the NSS bug, you have to trust it as a CA using the "C,," trust flags. 80 81#### Add a personal certificate and private key for SSL client authentication 82 83Use the command: 84 85 pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12 86 87to import a personal certificate and private key stored in a PKCS #12 file. The 88TRUSTARGS of the personal certificate will be set to "u,u,u". 89 90### Delete a certificate 91 92 certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname> 93