Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

January 26 2010


Trusting self-signed certificates with Google Chrome on Linux

Update: added the “C” flag to SSL attributes which I accidentally forgot to include.

If you’re not really sure about how you can stop Chrome from permanently reminding you that the server you’re connecting to is a bad boy (read: using a self-signed certificate), you’ll probably end up looking at CACert’s Browser Client page by way of Google. With a bit of reading documentation, you can probably find out how to import a self-signed certificate and mark it as trusted, but since you’re probably lazy, you’d rather just copy and paste a few instructions.

First, I have to stress is that blindly trusting a certificate you download off the internet is a Bad Idea. But expressing a certain laissez-faire attitude: if you’re stupid enough to copy and paste blindly, you deserve it.

Second, simple copy and paste instructions:

openssl s_client -connect $HOST:443 -showcerts > temporary_file
certutil -d sql:$HOME/.pki/nssdb -A -t CP,,C -n "$HOST" -i temporary_file

Third, explanations:

  • s_client just connects to the given hostname, 443 being, as you should know, the (default) HTTP SSL port.
  • –showcerts shows all kinds of information about the certificate, including the certificate itself. You will probably have to hit ^C/^D to stop s_client.
  • If you get multiple (and different) certificates, first one will be the server certificate, and second one the CA certificate.
  • certutil (package hint: libnss3-tools can be used to manage your local «Network Security Services» SQLite database.
  • The specified argument for certutil are:
    1. The database to use (in this case, the user-specific NSS database).
    2. The flag to add something to the database (-A).
    3. The “trust types” for the certificate, in “SSL, S/MIME, CA” notification: “P” for a trusted peer, and “C” for a certificate authority that may issue server certificates.
    4. A shortname to identify the certificate in the database. The hostname works well and is fairly obvious.
Reposted bymeerschwein meerschwein

July 10 2008


ssh-keygen, the web-based SSH Key Generator

This web site provides a reliable and cost-effective way to get properly generated ssh keys. To get your free ssh key pair, fill out this form, print for your records, and submit.
Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!