Movatterモバイル変換

chromium /chromium /src /refs/heads/main /. /docs /linux /cert_management.md

blob: 61900f9b6d2f2374dfb363fc7727235bce8e8327 [file] [log] [blame] [view]

andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	1	# Linux Cert Management
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	2
Raphael Kubo da Costa	15d33ef	2021-11-18 18:26:02	[diff] [blame]	3	The easy way to manage certificatesis navigate to chrome://settings/certificates.
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	4	Then click on the"Manage Certificates" button.This will load a built-in
				5	interfacefor managing certificates.
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	6
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	7	OnLinux,Chromium uses the
				8	[NSSShared DB](https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX). If the
				9	built-in manager doesnot workfor youthen you can configure certificateswith
				10	the
				11	[NSS command line tools](http://www.mozilla.org/projects/security/pki/nss/tools/).
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	12
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	13	## Details
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	14
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	15	### Get the tools
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	16
Raphael Kubo da Costa	92e0de2	2022-09-13 16:12:51	[diff] [blame]	17	*Debian/Ubuntu:`sudo apt install libnss3-tools`
				18	*Fedora:`sudo dnf install nss-tools`
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	19	*Gentoo:`su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use &&
				20	emerge dev-libs/nss"`(You need to launch all commands belowwith the`nss`
				21	prefix, e.g.,`nsscertutil`.)
				22	*Opensuse:`sudo zypper install mozilla-nss-tools`
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	23
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	24	### List all certificates
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	25
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	26	certutil-d sql:$HOME/.pki/nssdb-L
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	27
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	28	### List details of a certificate
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	29
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	30	certutil-d sql:$HOME/.pki/nssdb-L-n<certificate nickname>
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	31
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	32	### Add a certificate
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	33
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	34	```shell
				35	certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> \
				36	-i <certificate filename>
				37	```
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	38
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	39	The TRUSTARGS are three strings of zeroor more alphabetic characters, separated
				40	by commas.They define how the certificate should be trustedfor SSL, email,and
				41	object signing,and are explainedin the
Raphael Kubo da Costa	92e0de2	2022-09-13 16:12:51	[diff] [blame]	42	[certutil docs](https://firefox-source-docs.mozilla.org/security/nss/legacy/tools/nss_tools_certutil/index.html)
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	43	or
Raphael Kubo da Costa	92e0de2	2022-09-13 16:12:51	[diff] [blame]	44	[Meena's blog post on trust flags](https://web.archive.org/web/20131212024426/https://blogs.oracle.com/meena/entry/notes_about_trust_flags).
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	45
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	46	For example, to trust a root CA certificate for issuing SSL server certificates,
				47	use
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	48
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	49	```shell
				50	certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> \
				51	-i <certificate filename>
				52	```
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	53
				54	To import an intermediate CA certificate, use
				55
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	56	```shell
				57	certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> \
				58	-i <certificate filename>
				59	```
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	60
				61	Note: to trust a self-signed server certificate, we should use
				62
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	63	```
				64	certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> \
				65	-i <certificate filename>
				66	```
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	67
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	68	#### Add a personal certificate and private key for SSL client authentication
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	69
				70	Use the command:
				71
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	72	pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	73
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	74	to import a personal certificate and private key stored in a PKCS #12 file. The
				75	TRUSTARGS of the personal certificate will be set to "u,u,u".
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	76
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	77	### Delete a certificate
andybons	3322f76	2015-08-24 21:37:09	[diff] [blame]	78
andybons	ad92aa3	2015-08-31 02:27:44	[diff] [blame]	79	certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>