Importing Self-Signed Certificates into Chrome on Linux

ByEric Ma Posted on Updated on

Chrome on Linux uses NSS (Network Security Services) for certificate management. Install the certutil utility from your distribution:

Debian/Ubuntu/Linux Mint:

sudo apt install libnss3-tools

CentOS/Fedora/RHEL:

sudo dnf install nss-tools

Arch Linux:

sudo pacman -S nss

Extract and Import the Certificate

The most reliable approach is to extract the certificate directly from the server and import it into Chrome’s NSS database. This script handles both tasks:

#!/bin/bash

if [ $# -lt 1 ]; then
    echo "Usage: $0 <hostname> [port]"
    exit 1
fi

hostname=$1
port=${2:-443}

echo "Fetching certificate from $hostname:$port..."

# Extract the certificate chain
echo Q | openssl s_client -servername "$hostname" -connect "$hostname:$port" -showcerts 2>/dev/null \
    | sed -ne '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' \
    > "/tmp/cert-$hostname.pem"

if [ ! -s "/tmp/cert-$hostname.pem" ]; then
    echo "Error: Failed to retrieve certificate from $hostname"
    exit 1
fi

# Import into NSS database
certutil -d "sql:$HOME/.pki/nssdb" -A -t "P,," -n "$hostname" -i "/tmp/cert-$hostname.pem"

if [ $? -eq 0 ]; then
    echo "Certificate imported successfully for $hostname"
    certutil -d "sql:$HOME/.pki/nssdb" -L -n "$hostname"
else
    echo "Error: Failed to import certificate"
    exit 1
fi

# Cleanup
rm -f "/tmp/cert-$hostname.pem"

Save this as add-cert.sh, make it executable, and run it:

chmod +x add-cert.sh
./add-cert.sh your.internal.site

For non-standard ports:

./add-cert.sh your.internal.site 8443

Verify the Import

List all imported certificates:

certutil -d "sql:$HOME/.pki/nssdb" -L

View details for a specific certificate:

certutil -d "sql:$HOME/.pki/nssdb" -L -n "your.internal.site"

The output shows the certificate’s trust flags. The P flag indicates it’s trusted for websites.

Restart Chrome

Close all Chrome/Chromium instances, including background processes:

killall chrome chromium chromium-browser google-chrome 2>/dev/null

Wait a moment for all processes to terminate, then reopen the browser. The certificate warning should no longer appear.

Remove a Certificate

If you need to delete a certificate later:

certutil -d "sql:$HOME/.pki/nssdb" -D -n "your.internal.site"

Troubleshooting

NSS database doesn’t exist

The ~/.pki/nssdb directory may not be present on fresh Linux installs. Create and initialize it:

mkdir -p ~/.pki/nssdb
certutil -d "sql:$HOME/.pki/nssdb" -N --empty-password

Certificate still shows warnings after import

Ensure Chrome is completely closed. Background processes can persist in the system tray. Verify with ps aux | grep chrome and force-kill if necessary:

killall -9 chrome chromium google-chrome 2>/dev/null

Hostname mismatch errors

Chrome validates the certificate’s Common Name (CN) or Subject Alternative Name (SAN) against the hostname. If they don’t match, the browser warns even after import. Check the certificate’s CN:

echo Q | openssl s_client -servername "$hostname" -connect "$hostname:443" 2>/dev/null \
    | openssl x509 -text -noout | grep -A1 "Subject:"

If the CN doesn’t match your hostname, you need a certificate with the correct CN or SAN field, or access the site using the hostname in the certificate.

Certificate chain issues

If the server uses intermediate certificates, the extraction script captures the full chain. However, some servers don’t send the complete chain. You may need to import the CA certificate separately:

# Save the CA cert to a file, then import it
certutil -d "sql:$HOME/.pki/nssdb" -A -t "CT,," -n "ca-cert-name" -i /path/to/ca.pem

Use CT,, trust flags for CA certificates instead of P,,.

Chromium, Brave, and Other Chromium-Based Browsers

This process works identically for Chromium, Google Chrome, Brave, and Edge. All Chromium-based browsers share the same NSS database, so importing a certificate once makes it available to all of them.

To verify which browsers use your NSS database:

certutil -d "sql:$HOME/.pki/nssdb" -L

If a certificate appears here, all installed Chromium-based browsers recognize it.

Read more:

4 Comments

  1. It seems that the Github gives a free education pack to the student, which includes a free SSL certificate for one year.
    I just apply it yesterday, and use it on https://chetui.org & https://www.chetui.org (which is used for reverse proxy of google).

    If your github account is already certified as a student account of HKUST, then you can also apply it. Finaly, your https website would not show warnning to visitor for at least one year.

    Reply

    1. Sounds good. But I guess you need to pay after the first year. The https services for my sites are mainly for my own usage for security transfer over the Web. Readers visit by http still. If https is enabled and later disabled, it will look strange while I am not ready to pay for the certificate manually yet.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *