4

I need to trust a self-signed certificate on a lot of managed Linux desktops. I have imported them into the trust store of the OS, curl, wget etc. trust them.

However browsers like Firefox and Chrome (Chromium) use their own trust store. Firefox has an option to use the system trust store but that is broken on Linux and marked as "Wontfix" in their Bugtracker. There still is the option to install certificates to the Firefox trust store with their enterprise policies though.

I was looking for the same thing for Chromium Policies, but I have not found any evidence of there beeing such a thing.

So my question is basically the same as this one: How to make Chrome trust Windows system root CA certificate? but on Linux.

If using the OS trust store is not an option, importing select certificates would be a good workaround.

Mining_Pickaxe
  • 41
  • 1
  • 4

1 Answers1

2

In Ubuntu, Chrome uses its own certificate store, so you need to import the OS certificates inside Chrome's store.

Using the GUI, this is done using Manage certificates in Settings.

The article How to import CA root certificates on Linux and Windows contains the following script to copy OS certificates to the browser, which you could modify according to your need (or remove unneeded parts).

The script needs certutil. If not installed, use sudo apt install libnss3-tools.

Here is the script for installing the root CA in Firefox, Chrome, Chromium, Vivaldy and other browsers. Note that future updates to the OS store are not copied automatically.

#!/bin/bash

### Script installs root.cert.pem to certificate trust store of applications using NSS
### (e.g. Firefox, Thunderbird, Chromium)
### Mozilla uses cert8, Chromium and Chrome use cert9

###
### Requirement: apt install libnss3-tools
###

###
### CA file to install (CUSTOMIZE!)
###

certfile="root.cert.pem"
certname="My Root CA"

###
### For cert8 (legacy - DBM)
###

for certDB in $(find ~/ -name "cert8.db")
do
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d dbm:${certdir}
done

###
### For cert9 (SQL)
###

for certDB in $(find ~/ -name "cert9.db")
do
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${certdir}
done
harrymc
  • 455,459
  • 31
  • 526
  • 924
  • 2
    I am looking to manage this via policies and not via gui or the certutil - Those options would require intervention from the user to click through the gui or run the command. I want to use the already present puppet agent to deploy that configuration. – Mining_Pickaxe Apr 25 '22 at 13:06