teh bigbro blog(tm)
Bigbro's foray into the scary world of blogging
05 08 2010

Thu, 05 Aug 2010

Google Chrome is Google's browser and provides a refreshingly fast interface to (in particular) Javascript heavy websites. It's also a pretty good general browser, but like many others presents dire warnings of doom if you attempt to view a https secured website which doesn't have a recognised certificate. (Or more correctly, doesn't have a certificate signed by an authority recognised by Google.)
Most other browsers provide a method of installing root certificates but Google decided that they would use an already established certificate management system external to the browser, the NSS Security Toolkit. So if you want to view websites secured by free CACert SSL certificates or have the need to browse to sites secured by self-signed SSL certs (like the https management interface for my Linksys WRT54g wireless router running Tomato firmware for example) then you'll want to add some certificates to your NSS database. Fortunately, it's pretty simple to do...
First, let's install the CACert root certificate. Installing this means that Google Chrome will trust the identity of sites signed by CACert issues certificates. This is a good thing and saves clicking the "Proceed anyway" button every time.

1. First, grab the root cert file from the CACert Root Cert page. You should verify that the file is correct and has not been tampered with; md5sums and SHA1 hashes are included, along with the fingerprint signed by the CACert GPG key. I'll leave it as an exercise for the reader as to how authenticity should be verified, but for the moment let's assume we have a good, trusted copy of the CACert Root Certificate (PEM Format) saved as root.crt in your home directory.
2. If you've not already, you should install the NSS tool set - a simple sudo aptitude install libnss3-tools should work nicely. You will be asked for your login password to ensure you have permissions to install software.
3. Install the CACert root key by running certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "CACert Root Certificate" -i root.crt
4. There is no step 4... you can now go to CACert secured web pages and Chrome will correctly verify that the SSL site cert has been signed by the CACert root certificate.

1. If you've not done so above, you'll need to install the NSS tools, using sudo aptitude install libnss3-tools or similar.
2. Next you'll need to get a copy of the certificate. Particularly with embedded devices, the easiest way to do this is by pulling the key directly from the device by pretending you're a web client. Thanks to tgulacsi78 who suggested echo QUIT | openssl s_client -connect hostname:443 | sed -ne '/BEGIN CERT/,/END CERT/p' - replacing hostname with the name of the host. In my case, I might use echo QUIT | openssl s_client -connect eeyore.han.signal2noise.ie:443 | sed -ne '/BEGIN CERT/,/END CERT/p' to get the cert from eeyore, my wireless router.
3. Copy and paste the lines between 'BEGIN CERT' and 'END CERT' into a file and save it as (say) router.crt
4. Now we import the cert in exactly the same way as previously, using a command line something like certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My router web admin certificate" -i router.crt
5. Note that we have to use the C flag (i.e. mark it as a CA / Certificate Authority) due to a bug in NSS. Note also that you should replace the description after -n with something that means something to you, and the argument after the -i should be the file name and path to the file we created in step 3.
6. Test that everything has worked by using Chrome to access the site secured by the self-signed certificate again and notice that this time no warnings are given.

copyright © 2005-2011, Gareth Eason