Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

January 26 2010


Trusting self-signed certificates with Google Chrome on Linux

Update: added the “C” flag to SSL attributes which I accidentally forgot to include.

If you’re not really sure about how you can stop Chrome from permanently reminding you that the server you’re connecting to is a bad boy (read: using a self-signed certificate), you’ll probably end up looking at CACert’s Browser Client page by way of Google. With a bit of reading documentation, you can probably find out how to import a self-signed certificate and mark it as trusted, but since you’re probably lazy, you’d rather just copy and paste a few instructions.

First, I have to stress is that blindly trusting a certificate you download off the internet is a Bad Idea. But expressing a certain laissez-faire attitude: if you’re stupid enough to copy and paste blindly, you deserve it.

Second, simple copy and paste instructions:

openssl s_client -connect $HOST:443 -showcerts > temporary_file
certutil -d sql:$HOME/.pki/nssdb -A -t CP,,C -n "$HOST" -i temporary_file

Third, explanations:

  • s_client just connects to the given hostname, 443 being, as you should know, the (default) HTTP SSL port.
  • –showcerts shows all kinds of information about the certificate, including the certificate itself. You will probably have to hit ^C/^D to stop s_client.
  • If you get multiple (and different) certificates, first one will be the server certificate, and second one the CA certificate.
  • certutil (package hint: libnss3-tools can be used to manage your local «Network Security Services» SQLite database.
  • The specified argument for certutil are:
    1. The database to use (in this case, the user-specific NSS database).
    2. The flag to add something to the database (-A).
    3. The “trust types” for the certificate, in “SSL, S/MIME, CA” notification: “P” for a trusted peer, and “C” for a certificate authority that may issue server certificates.
    4. A shortname to identify the certificate in the database. The hostname works well and is fairly obvious.
Reposted bymeerschwein meerschwein

Don't be the product, buy the product!