NSS certutil playground

tested with Google Chrome v124

backup first

cp -a ~/.pki/ ~/.pki.`date +%s`/

enable additional root CA for all-sites

cert=cert_file.crt
nick=cert_file

cd ~/.pkg/nssdb/
ls -lF $cert

certutil -d sql:$HOME/.pki/nssdb -A -t "C" -n $nick -i $cert

enable site-specific ssl server auth

cert=something.internal.crt
nick=something.internal
site=something.internal

cd ~/.pki/nssdb/

echo Q | openssl s_client -connect $site:443 > $site.crt
openssl x509 -in $cert -noout -sha256 -fingerprint

certutil -d sql:$HOME/.pki/nssdb -A -t "P" -n $nick -i $cert

acceptance

curl -I https://something.internal/

resources

nss db

https://manpages.debian.org/bookworm/libnss3-tools/certutil.1.en.html ==> -t

https://superuser.com/questions/1772957/how-to-trust-a-self-signed-ssl-root-ca-in-chrome-on-debian-via-terminal ==> see second edit

https://superuser.com/questions/104146/add-permanent-ssl-certificate-exception-in-chrome-linux ==> linked from above

https://superuser.com/questions/1695693/adding-self-signed-certificate-into-trusted-ca-on-chromium-for-linux

https://stackoverflow.com/questions/71654225/how-to-enable-authority-ca-root-in-google-chrome-ubuntu-through-command-line

https://unix.stackexchange.com/questions/77794/where-does-chrome-gets-its-list-of-certificate-authorities-from ==> finally, the location of the system-wide trust store

fingerprint

https://stackoverflow.com/questions/22030264/how-can-i-create-a-sha256-fingerprint-in-openssl