====== Self-Signed Cert. Import for Chrome (Linux) ======
Personally, I use a whole lot of self-signed SSL certificates.  I like my info to be encrypted in transit, but I don't want to have to shell out hundreds of dollars per year for all the domains I want encrypted.  I understand why the chain of trust exists, but I think it's a bit of a racket in terms of what companies charge just to sign your certs.  Enough with the griping and on to the "how to do this" section.

If you are using Chrome, chances are you've run into what I call "the red page of SSL doom".  In reality, this page is a good thing because if you see it when you are, say, doing your banking, you know that something is seriously wrong.  However, it gets annoying when I see it every time I restart Chrome and browse to my Nagios site.  Unlike Firefox, there seems to be no way to simply tell Chrome "I know the cert isn't valid, but trust it anyway".  After doing some searching, I found [[http://ydal.de/trusting-self-signed-certificates-with-google-chrome-on-linux/|this site]] that pretty much says exactly what to do.  Big thanks to "towo" on that.  There were a couple of issues with it, so I decided to whip up the following shell script to make this convenient and easy.
===== Install libnss3-tools =====
Make sure you have the ''libnss3-tools'' package installed first.  Specifically, we need the ''certutil'' program out of that.  You should see something like the following if you have ''certutil'' installed:
<code>
$ which certutil
/usr/bin/certutil
</code>
If you don't have ''certutil'', you need to install the ''libnss3-tools'' package.  On Ubuntu, it's pretty simple:
<code>
$ sudo apt-get install libnss3-tools
</code>
Once you are done with that, you should be good to go, as I assume that you have ''openssl'' installed.
===== The Script =====
This is the contents of the shell script which you can either copy and paste into your own file or {{:apps:chrome:cert_import.sh.gz|download it}}.  If you do {{:apps:chrome:cert_import.sh.gz|download it}}, you will have to use ''gunzip cert_import.sh.gz'' to decompress it.
<code bash>
#!/bin/sh

usage() {
    ex="${1:-0}"
    echo "Usage: $0 <host> [<port>]"
    echo "\n\tPort will be set to 443 by default"
    exit $ex
}

host="$1"
if [ -z $host ] ; then
    usage 1
fi
port="${2:-443}"
ssl=/usr/bin/openssl
cu=/usr/bin/certutil
tmp="$(tempfile)"

trap 'rm $tmp' 1 2 3 15

echo |
    openssl s_client -connect $host:$port 2>&1 |
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $tmp
certutil -d sql:$HOME/.pki/nssdb -A -t CP,,C -n "$host" -i $tmp
rm $tmp
</code>
Just run that as your normal user to import the certificate for your domain like so:
<code>
$ cert_import.sh my.domain.com
</code>
If you are using a different port than the standard SSL port 443, you can add that as a second argument:
<code>
$ cert_import.sh my.domain.com 4430
</code>
That's about it.  Thanks again to "towo" at [[http://ydal.de/trusting-self-signed-certificates-with-google-chrome-on-linux/]] for getting me started on this.