Personally, I use a whole lot of self-signed SSL certificates. I like my info to be encrypted in transit, but I don't want to have to shell out hundreds of dollars per year for all the domains I want encrypted. I understand why the chain of trust exists, but I think it's a bit of a racket in terms of what companies charge just to sign your certs. Enough with the griping and on to the “how to do this” section.
If you are using Chrome, chances are you've run into what I call “the red page of SSL doom”. In reality, this page is a good thing because if you see it when you are, say, doing your banking, you know that something is seriously wrong. However, it gets annoying when I see it every time I restart Chrome and browse to my Nagios site. Unlike Firefox, there seems to be no way to simply tell Chrome “I know the cert isn't valid, but trust it anyway”. After doing some searching, I found this site that pretty much says exactly what to do. Big thanks to “towo” on that. There were a couple of issues with it, so I decided to whip up the following shell script to make this convenient and easy.
Make sure you have the libnss3-tools
package installed first. Specifically, we need the certutil
program out of that. You should see something like the following if you have certutil
installed:
$ which certutil /usr/bin/certutil
If you don't have certutil
, you need to install the libnss3-tools
package. On Ubuntu, it's pretty simple:
$ sudo apt-get install libnss3-tools
Once you are done with that, you should be good to go, as I assume that you have openssl
installed.
This is the contents of the shell script which you can either copy and paste into your own file or download it. If you do download it, you will have to use gunzip cert_import.sh.gz
to decompress it.
#!/bin/sh usage() { ex="${1:-0}" echo "Usage: $0 <host> [<port>]" echo "\n\tPort will be set to 443 by default" exit $ex } host="$1" if [ -z $host ] ; then usage 1 fi port="${2:-443}" ssl=/usr/bin/openssl cu=/usr/bin/certutil tmp="$(tempfile)" trap 'rm $tmp' 1 2 3 15 echo | openssl s_client -connect $host:$port 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $tmp certutil -d sql:$HOME/.pki/nssdb -A -t CP,,C -n "$host" -i $tmp rm $tmp
Just run that as your normal user to import the certificate for your domain like so:
$ cert_import.sh my.domain.com
If you are using a different port than the standard SSL port 443, you can add that as a second argument:
$ cert_import.sh my.domain.com 4430
That's about it. Thanks again to “towo” at http://ydal.de/trusting-self-signed-certificates-with-google-chrome-on-linux/ for getting me started on this.