Personally, I use a whole lot of self-signed SSL certificates. I like my info to be encrypted in transit, but I don't want to have to shell out hundreds of dollars per year for all the domains I want encrypted. I understand why the chain of trust exists, but I think it's a bit of a racket in terms of what companies charge just to sign your certs. Enough with the griping and on to the “how to do this” section.

If you are using Chrome, chances are you've run into what I call “the red page of SSL doom”. In reality, this page is a good thing because if you see it when you are, say, doing your banking, you know that something is seriously wrong. However, it gets annoying when I see it every time I restart Chrome and browse to my Nagios site. Unlike Firefox, there seems to be no way to simply tell Chrome “I know the cert isn't valid, but trust it anyway”. After doing some searching, I found this site that pretty much says exactly what to do. Big thanks to “towo” on that. There were a couple of issues with it, so I decided to whip up the following shell script to make this convenient and easy.

Make sure you have the libnss3-tools package installed first. Specifically, we need the certutil program out of that. You should see something like the following if you have certutil installed:

$ which certutil
/usr/bin/certutil

If you don't have certutil, you need to install the libnss3-tools package. On Ubuntu, it's pretty simple:

$ sudo apt-get install libnss3-tools

Once you are done with that, you should be good to go, as I assume that you have openssl installed.

This is the contents of the shell script which you can either copy and paste into your own file or download it. If you do download it, you will have to use gunzip cert_import.sh.gz to decompress it.

#!/bin/sh
 
usage() {
    ex="${1:-0}"
    echo "Usage: $0 <host> [<port>]"
    echo "\n\tPort will be set to 443 by default"
    exit $ex
}
 
host="$1"
if [ -z $host ] ; then
    usage 1
fi
port="${2:-443}"
ssl=/usr/bin/openssl
cu=/usr/bin/certutil
tmp="$(tempfile)"
 
trap 'rm $tmp' 1 2 3 15
 
echo |
    openssl s_client -connect $host:$port 2>&1 |
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $tmp
certutil -d sql:$HOME/.pki/nssdb -A -t CP,,C -n "$host" -i $tmp
rm $tmp

Just run that as your normal user to import the certificate for your domain like so:

$ cert_import.sh my.domain.com

If you are using a different port than the standard SSL port 443, you can add that as a second argument:

$ cert_import.sh my.domain.com 4430

That's about it. Thanks again to “towo” at http://ydal.de/trusting-self-signed-certificates-with-google-chrome-on-linux/ for getting me started on this.