NSS certutil playground

tested with Google Chrome v124

backup first

cp -a ~/.pki/ ~/.pki.`date +%s`/

enable additional root CA for all-sites

cert=cert_file.crt
nick=cert_file

cd ~/.pki/nssdb/
ls -lF $cert

certutil -d sql:$HOME/.pki/nssdb -A -t "C" -n $nick -i $cert

enable site-specific ssl server auth

cd ~/.pki/nssdb/

site=site.local

echo Q | openssl s_client -connect $site:443 > $site.crt
certutil -d sql:$HOME/.pki/nssdb -A -t "P" -n $site -i $site.crt

acceptance

open google chrome against those web sites

clean-up

certutil -d sql:$HOME/.pki/nssdb -D -n nick-intermediate
certutil -d sql:$HOME/.pki/nssdb -D -n nick-ca
certutil -d sql:$HOME/.pki/nssdb -L

additional notes

openssl x509 -in $cert -noout -sha256 -fingerprint

resources

nss db

https://manpages.debian.org/bookworm/libnss3-tools/certutil.1.en.html ==> -t

https://superuser.com/questions/1772957/how-to-trust-a-self-signed-ssl-root-ca-in-chrome-on-debian-via-terminal ==> see second edit

https://superuser.com/questions/104146/add-permanent-ssl-certificate-exception-in-chrome-linux ==> linked from above

https://superuser.com/questions/1695693/adding-self-signed-certificate-into-trusted-ca-on-chromium-for-linux

https://stackoverflow.com/questions/71654225/how-to-enable-authority-ca-root-in-google-chrome-ubuntu-through-command-line

https://unix.stackexchange.com/questions/77794/where-does-chrome-gets-its-list-of-certificate-authorities-from ==> finally, the location of the system-wide trust store

fingerprint

https://stackoverflow.com/questions/22030264/how-can-i-create-a-sha256-fingerprint-in-openssl


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun