1# Linux Cert Management
2
3The easy way to manage certificates is navigate to chrome://settings/search#ssl.
4Then click on the "Manage Certificates" button. This will load a built-in
5interface for managing certificates.
6
7On Linux, Chromium uses the
8[NSS Shared DB](https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX). If the
9built-in manager does not work for you then you can configure certificates with
10the
11[NSS command line tools](http://www.mozilla.org/projects/security/pki/nss/tools/).
12
13## Details
14
15### Get the tools
16
17*   Debian/Ubuntu: `sudo apt-get install libnss3-tools`
18*   Fedora: `su -c "yum install nss-tools"`
19*   Gentoo: `su -c  "echo 'dev-libs/nss utils' >> /etc/portage/package.use &&
20    emerge dev-libs/nss"` (You need to launch all commands below with the `nss`
21    prefix, e.g., `nsscertutil`.)
22*   Opensuse: `sudo zypper install mozilla-nss-tools`
23
24### List all certificates
25
26    certutil -d sql:$HOME/.pki/nssdb -L
27
28#### Ubuntu Jaunty error
29
30Above (and most commands) gives:
31
32    certutil: function failed: security library: invalid arguments.
33
34Package version 3.12.3.1-0ubuntu0.9.04.2
35
36### List details of a certificate
37
38    certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>
39
40### Add a certificate
41
42```shell
43certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> \
44-i <certificate filename>
45```
46
47The TRUSTARGS are three strings of zero or more alphabetic characters, separated
48by commas. They define how the certificate should be trusted for SSL, email, and
49object signing, and are explained in the
50[certutil docs](http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193)
51or
52[Meena's blog post on trust flags](https://blogs.oracle.com/meena/entry/notes_about_trust_flags).
53
54For example, to trust a root CA certificate for issuing SSL server certificates,
55use
56
57```shell
58certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> \
59-i <certificate filename>
60```
61
62To import an intermediate CA certificate, use
63
64```shell
65certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> \
66-i <certificate filename>
67```
68
69Note: to trust a self-signed server certificate, we should use
70
71```
72certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> \
73-i <certificate filename>
74```
75
76This should work now, because
77[NSS bug 531160](https://bugzilla.mozilla.org/show_bug.cgi?id=531160) is claimed
78to be fixed in a related bug report.  If it doesn't work, then to work around
79the NSS bug, you have to trust it as a CA using the "C,," trust flags.
80
81#### Add a personal certificate and private key for SSL client authentication
82
83Use the command:
84
85    pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12
86
87to import a personal certificate and private key stored in a PKCS #12 file. The
88TRUSTARGS of the personal certificate will be set to "u,u,u".
89
90### Delete a certificate
91
92    certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>
93