Tuesday, June 18, 2013

Adding self-signed SSL certficates to Google Chrome

Everytime I connect to my work web email server through our VPN I get a SSL Untrusted Certificate Error in Google Chrome and have to click on that annoying red screen that practically begs me not to Proceed.  It's not a BAD Certificate it's just Self-Signed.  You'd think Google would have done like FireFox did and give you a nice CLICK to ADD option to the offending SSL Certificate.

Well really it's not that big a deal but I just have to find fixes to these kind of things.


1.  Open a TERMINAL window.
2.  TYPE sudo apt-get install libnss3-tools (HIT ENTER).
3.  Open GEDIT or any text editor and cut and paste the below text (in green and no blank lines at the top or bottom):

 #!/bin/sh
#
# usage:  import-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
exec 6>&1
exec > $REMHOST
echo | openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "$REMHOST" -i $REMHOST 
exec 1>&6 6>&-

4.  Save this file in your HOME directory as import-cert.sh and close GEDIT.
5.  Import your SSL by typing the following command into your TERMINAL window.

bash import-cert.sh YOUR.SERVER.NAME 443

6.  Done!


NOTES:  Replace YOUR.SERVER.NAME with your sever's fully quilitified domain name.  If your server is using a different PORT (443 is default) then replace the 443 with whatever PORT your company uses.  Make sure you can connect to YOUR SERVER (connect your VPN?)

Other useful certutil commands (TYPE them in a TERMINAL window):

List all certificates in your database:
certutil -L -d sql:$HOME/.pki/nssdb

To delete a certificate
certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>

Replace <certificate nickname> with the name displayed by the List Certificates command.



FULL CREDIT:  The Bash Script is NOT mine.  I did NOT write it, I found it on THIS SITE and it was written by Peter van der Does (according to the website).  Follow the link and read his article for a description of what all this does.



No comments: