google-chrome or chromium and SSL client certificates

Many of our restricted services rely on client authentication based on X.509 SSL certificates. And some of the better (say user friendly 🙂 ones’ are accessible using a web interface.

So, with Firefox certificate based authentication is relatively easy to implement, yet when using google-chrome or chromium I was quite lost on how to manage my certificates.

Apparently, both google-chrom and chromium lack a GUI feature allowing to manage one’s certificates (at least under linux) because “rather than reinvent the wheel and create another certificate configuration tool, we are going to wait for a system certificate configuration utility to be created and launch that”, see [1].

However, it is not too difficult to manage the certificates on the commandline. The process is also described on the same page, some pitfalls exist, however.

Under Mandriva, the required tools are “normally” installed already, you don’t need an extra nss-tools or nss-util package, the nss package already provides the required essential certutil binary.

Some examples:

  • Listing one’s certificates:
    % certutil -d sql:$HOME/.pki/nssdb -L
  • adding a trusted root CA:
    % certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n certificate nickname -i certificate filename

    the -t "C,," actually determines which kind of certificate one wants to import, “C” means a CA certificate good for issuing SSL server certificates. See [2] for a listing of potential other flags.

  • add a client certificate for authentication:
    pk12util -d sql:$HOME/.pki/nssdb -i yourClientCertFile.p12

Further usage examples can be found in [1] and [3]

And finally, before google-chrome or chromium actually uses the client certificates in the store, you have to manually tell it using a command line switch:

% google-chrome --auto-ssl-client-auth

or

% chromium --auto-ssl-client-auth

I did all this using Mandriva 2010.1, so things may be different for other distros.

[1] http://code.google.com/p/chromium/wiki/LinuxCertManagement
[2] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193
[3] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#Examples

Spread the love

Leave a Reply

Be the First to Comment!

avatar
  Subscribe  
Notify of

Post Navigation