10

I need to trust a self-signed certificate on a lot of managed Linux desktops. I have imported them into the trust store of the OS, curl, wget etc. trust them.

However browsers like Firefox and Chrome (Chromium) use their own trust store. Firefox has an option to use the system trust store but that is broken on Linux and marked as "Wontfix" in their Bugtracker. There still is the option to install certificates to the Firefox trust store with their enterprise policies though.

I was looking for the same thing for Chromium Policies, but I have not found any evidence of there beeing such a thing.

So my question is basically the same as this one: How to make Chrome trust Windows system root CA certificate? but on Linux.

If using the OS trust store is not an option, importing select certificates would be a good workaround.

Mining_Pickaxe
  • 101

2 Answers2

7

I suggest looking at p11-kit (Specifically the trust module)

This is effectively a drop-in replacement for libnssckbi (what Chrome and Firefox use for their trust store). Once you've installed this, you can just replace or symlink the library with the p11 version.

On Ubuntu (up through 22.04), these are the file paths you need:

  • Chrome: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
  • Firefox (.deb, not snap/flatpak) /usr/lib/firefox/libnssckbi.so

I've been deploying this via puppet for ~5 years now, and the manifests effectively boil down to these Ubuntu commands:

apt install -y p11-kit p11-kit-modules
ln -s -f /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
ln -s -f /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so

Once these changes are in place, Chrome and Firefox act like normal apps and just use the system trust store (including any custom CAs), instead of using their own.

sskousen
  • 71
5

In Ubuntu, Chrome uses its own certificate store, so you need to import the OS certificates inside Chrome's store.

Using the GUI, this is done using Manage certificates in Settings.

The article How to import CA root certificates on Linux and Windows contains the following script to copy OS certificates to the browser, which you could modify according to your need (or remove unneeded parts).

The script needs certutil. If not installed, use sudo apt install libnss3-tools.

Here is the script for installing the root CA in Firefox, Chrome, Chromium, Vivaldy and other browsers. Note that future updates to the OS store are not copied automatically.

#!/bin/bash

Script installs root.cert.pem to certificate trust store of applications using NSS


(e.g. Firefox, Thunderbird, Chromium)


Mozilla uses cert8, Chromium and Chrome use cert9




Requirement: apt install libnss3-tools






CA file to install (CUSTOMIZE!)




certfile="root.cert.pem"
certname="My Root CA"




For cert8 (legacy - DBM)




for certDB in $(find ~/ -name "cert8.db")
do
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d dbm:${certdir}
done




For cert9 (SQL)




for certDB in $(find ~/ -name "cert9.db")
do
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${certdir}
done
harrymc
  • 498,455