1 # Linux Cert Management
4 **NOTE:** SSL client authentication with personal certificates does not work
5 completely in Linux, see [issue 16830](https://crbug.com/16830) and
6 [issue 25241](https://crbug.com/25241).
9 The easy way to manage certificates is navigate to chrome://settings/search#ssl.
10 Then click on the "Manage Certificates" button. This will load a built-in
11 interface for managing certificates.
13 On Linux, Chromium uses the
14 [NSS Shared DB](https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX). If the
15 built-in manager does not work for you then you can configure certificates with
17 [NSS command line tools](http://www.mozilla.org/projects/security/pki/nss/tools/).
23 * Debian/Ubuntu: `sudo apt-get install libnss3-tools`
24 * Fedora: `su -c "yum install nss-tools"`
25 * Gentoo: `su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use &&
26 emerge dev-libs/nss"` (You need to launch all commands below with the `nss`
27 prefix, e.g., `nsscertutil`.)
28 * Opensuse: `sudo zypper install mozilla-nss-tools`
30 ### List all certificates
32 certutil -d sql:$HOME/.pki/nssdb -L
34 #### Ubuntu Jaunty error
36 Above (and most commands) gives:
38 certutil: function failed: security library: invalid arguments.
40 Package version 3.12.3.1-0ubuntu0.9.04.2
42 ### List details of a certificate
44 certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>
49 certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> \
50 -i <certificate filename>
53 The TRUSTARGS are three strings of zero or more alphabetic characters, separated
54 by commas. They define how the certificate should be trusted for SSL, email, and
55 object signing, and are explained in the
56 [certutil docs](http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193)
58 [Meena's blog post on trust flags](https://blogs.oracle.com/meena/entry/notes_about_trust_flags).
60 For example, to trust a root CA certificate for issuing SSL server certificates,
64 certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> \
65 -i <certificate filename>
68 To import an intermediate CA certificate, use
71 certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> \
72 -i <certificate filename>
75 Note: to trust a self-signed server certificate, we should use
78 certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> \
79 -i <certificate filename>
82 This should work now, because
83 [NSS bug 531160](https://bugzilla.mozilla.org/show_bug.cgi?id=531160) is claimed
84 to be fixed in a related bug report. If it doesn't work, then to work around
85 the NSS bug, you have to trust it as a CA using the "C,," trust flags.
87 #### Add a personal certificate and private key for SSL client authentication
91 pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12
93 to import a personal certificate and private key stored in a PKCS #12 file. The
94 TRUSTARGS of the personal certificate will be set to "u,u,u".
96 ### Delete a certificate
98 certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>