Trusting self-signed certificates with Google Chrome on Linux

Update: added the “C” flag to SSL attributes which I accidentally forgot to include.
Also changed $HOST to $host, as $HOST is the shell parameter for the current hostname…

If you’re not really sure about how you can stop Chrome from permanently reminding you that the server you’re connecting to is a bad boy (read: using a self-signed certificate), you’ll probably end up looking at CACert’s Browser Client page by way of Google. With a bit of reading documentation, you can probably find out how to import a self-signed certificate and mark it as trusted, but since you’re probably lazy, you’d rather just copy and paste a few instructions.

First, I have to stress is that blindly trusting a certificate you download off the internet is a Bad Idea. But expressing a certain laissez-faire attitude: if you’re stupid enough to copy and paste blindly, you deserve it.

Second, simple copy and paste instructions:

openssl s_client -connect $host:443 -showcerts > temporary_file
certutil -d sql:$HOME/.pki/nssdb -A -t CP,,C -n "$host" -i temporary_file

Third, explanations:

  • s_client just connects to the given hostname, 443 being, as you should know, the (default) HTTP SSL port.
  • -showcerts shows all kinds of information about the certificate, including the certificate itself. You will probably have to hit ^C/^D to stop s_client.
  • If you get multiple (and different) certificates, first one will be the server certificate, and second one the CA certificate.
  • certutil (package hint: libnss3-tools can be used to manage your local «Network Security Services» SQLite database.
  • The specified argument for certutil are:
    1. The database to use (in this case, the user-specific NSS database).
    2. The flag to add something to the database (-A).
    3. The “trust types” for the certificate, in “SSL, S/MIME, CA” notification: “P” for a trusted peer, and “C” for a certificate authority that may issue server certificates.
    4. A shortname to identify the certificate in the database. The hostname works well and is fairly obvious.