2

I am unable to install a self-signed CA certificate in Chromium and have it accept the TLS connection.

Your connection is not private
Attackers might be trying to steal your information from XXX (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_INVALID

Is there any issues with self-signed certs and Chromium for Linux that I am unaware of?

Details:

I am on Ubuntu using Chromium (Version 95.0.4638.69 (Official Build) Built on Ubuntu , running on Ubuntu 18.04 (64-bit)).

There is a Website that uses their own CA. When I access it, I get the usual message about the non-trusted certificate of TLS.

I have dealt with this situation many times, so I exported the certificate as Base64-enoded ASCII, single certificate and save it to disk. Then I go to the Chromium Settings - Manage HTTPS/SSL certificates and import it in Authorities, finally clicking on the Trust this certificate for....

I restart Chromium, access the Website and I still get the error.

I do these exact same steps in Chrome for Windows (which uses the Windows keystore) and everything goes just fine. I also tried the Windows-exported server certificate in Linux, just in case, but I got the same error, as they are equal.

I have checked this and other sites to see if there is something weird about Chromium but I cannot find anything useful. There seems to be people saying that some TLS things fail only on Linux, so it seems the functionality does not work in the software for some reason.

Improve this question

1 Answer 1

Reset to default
5

I'm using Chromium on a Pi with Debian, so similar. I added my local controlled CA server to the Linux OS (/usr/local/share/ca-certificates/ and run update-ca-certificates) and that works great with things like curl. But Chromium gave me the same error you have above.

I used certutil to add the same certificate to Chromium (restarted Chromium) and it now works:

https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/docs/linux/cert_management.md How do you add a certificate authority (CA) to Ubuntu?

My command line (as chromium user, not root):

certutil -d sql:$HOME/.pki/nssdb -A -t ${TRUSTARGS} -n "Taz Root" -i taz_root_ca.crt

Where taz_root_ca.crt is the cert generated by step-ca (the local CA I'm using). Odd thing, the 'nick name' does match what I typed but rather:

$  certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Cherry CA Root CA - Cherry CA                                CT,C,C
Improve this answer
1
  • for accepting taz_root_ca.crt as a trusted CA certificate use TRUSTARGS="CT,c,c", ... e.g.: certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "Taz Root" -i taz_root_ca.crt
    – Abdull
    Commented Feb 13, 2023 at 13:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .