SSL Certificate for Browser

This message gets annoying working with PUM images. The browser complains about the SSL certificate even though it’s just a temporary one and you’re not working on production or sensitive data.

So, I worked through telling my browser to trust the certificate. Here are my notes…

Downloading the Certificate from Firefox

Before we can get the browser to trust the certificate, we need to get access to the certificate. So, here’s the easy way assuming you are in a Firefox browser. I’ll try from

First, click on the lock by the URL and then click on the “Connection not secure” message in the menu.

Now, click the View More Information option to open the properties window.

This opens a window open with details about the site. So, click on the View Certificate button.

This opens a new web page / tab with all kinds of details about the certificate. If you scroll down to the Miscellaneous section, you can find a download link. That will download a PEM file with the certificate in it.

Installing the Certificate in Oracle Linux

First, I found the Firefox certificate database:

$ find ~/ -name "cert8.db"
$ find ~/ -name "cert9.db"
/home/PS/.mozilla/firefox/6n8rm3sx.default-default/cert9.db

As I understand it, this command should import the certificate. The command works, but Firefox still complains.

certutil -d sql:/home/PS/.mozilla/firefox/6n8rm3sx.default-default -A -t P -n "My PS Cert" -i $HOME/Downloads/tr46-digitaleagle-net.pem

So, the fix was to use the -t C option. P is for “trusted peer” and C is for “trusted CA to issue server certs”.

certutil -d sql:/home/PS/.mozilla/firefox/6n8rm3sx.default-default -A -t C -n "My PS Cert" -i $HOME/Downloads/tr46-digitaleagle-net.pem

Just for thoroughness, certutil came pre-installed in the PUM where I was working. But, if you don’t have it, I found it is part of the nss-tools package.

$ which certutil
/usr/bin/certutil
$ rpm -q --whatprovides /usr/bin/certutil
nss-tools-3.79.0-5.el7_9.x86_64

Downloading the Certificate from Chrome

So, what if you have Chrome. Or, in my case, I currently have Chromium. The process is basically the same. Click on the “Not Sure” warning by the URL, then click on the “Certificate is not valid” message.

This should open a dialog with information about the certificate. Go to the Details tab and click on Export. That should allow you to save the file.

I saved the file as a .crt file in my Downloads folder. The File type was set to Base64-encoded ASCII, single certificate.

Installing the Certificate in Ubuntu

First, my Ubuntu installation didn’t already have certutil installed. So, I installed the libnss3-tools package.

sudo apt install libnss3-tools

For Chrome, the database folder should be in .pki/nssdb directory. But, I ran both commands and it didn’t make a difference.

certutil -d sql:$HOME/.pki/nssdb -A -t P -n "tr46-digitaleagle-net" -i $HOME/Downloads/tr46.digitaleagle.net.crt
certutil -d sql:$HOME/.pki/nssdb -A -t C -n "tr46-digitaleagle-net" -i $HOME/Downloads/tr46.digitaleagle.net.crt

So, I ran my find command:

find ~/ -name "cert9.db"

That pointed out to me that my Chromium is actually installed as a snap. So, I need to use the nssdb folder inside the snap. So, this did the trick:

certutil -d sql:$HOME/snap/chromium/2572/.pki/nssdb -A -t P -n "tr46-digitaleagle-net" -i $HOME/Downloads/tr46.digitaleagle.net.crt

Resources

One thought on “SSL Certificate for Browser

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.