The above methods failed for me, using Gentoo and nss-3.12.5-r1 However, following information at https://wiki.mozilla.org/NSS_Shared_DB_Howto , I changed the -d parameter to omit sql: and added NSS_DEFAULT_DB_TYPE="sql" on the line before the command invocation (instead of exporting the environment variable). In this manner, everything worked perfectly with no warning messages. In addition, I have been able to add user certificates as .pkcs12 files using:

NSS_DEFAULT_DB_TYPE="sql" pk12util -d $HOME/.pki/nssdb -i <path_to_cert_file> -n "This Cert's Nick".

To get a site's certificate:

echo QUIT | openssl s_client -connect site:443 | sed -ne '/BEGIN CERT/,/END CERT/p'

The error is also in Ubuntu Karmic. But what is the solution/workaround?

You will also need to pass the following flag to chrome if you want to have SSL support: --auto-ssl-client-auth, eg:

$ google-chrome --auto-ssl-client-auth 

Chromium just sits there trying to connect and this is what I see on the console:

$ chromium-browser --auto-ssl-client-auth
3601:3612:9920367083:ERROR:net/socket/ssl_client_socket_nss.cc(1052)? handshake failed; NSS error code -5938, net_error -107
3601:3612:9981604894:ERROR:net/socket/ssl_client_socket_nss.cc(1052)? handshake failed; NSS error code -5938, net_error -107

I've verified with certutil that my personal certificate has been imported successfully. This is on Ubuntu 10.04 Lucid (pre-release) with Chromium 5.0.307.9. I used the --auto-ssl-client-auth option as advised by nicolas.pinto.

On Ubuntu (Karmic) I have just unchecked check for server certificate revocation to make it work for the time being. Is there a better solution available?

same here

pow@debian:~/Downloads/s4$ google-chrome --auto-ssl-client-auth [6026:6041:9641614080:ERROR:net/socket/ssl_client_socket_nss.cc(1275)] handshake failed; NSS error code -8054, net_error -2

unchecking "check for server certificate revocation" also doesn't work for me

using google chrome 5.0.366.2 dev on Debian Unstable

Linux google-chrome 成功导入证书： http://blog.csdn.net/chinainvent/archive/2010/04/15/5490371.aspx

Quick update: the '5.0.375.38 beta' version does not need the --auto-ssl-client-auth option.

Intento abrir la sesión a la intranet de mi universidad (UPV) y me devuelve el error: Certificado del servidor no válido. En cambio con firefox entro sin ningún tipo de problema y antes con chrome también, me ha sucedido tras actualizar. ¿Que me proponéis? gracias

So, all I want is for Chromium to stop nagging about a self-signed local server certificate. I added the certificate as described but still the red page comes up. What am I missing? Ubuntu 10.04 LTS, Chromium 5.0.342.9 (43360) Ubuntu

Here's a quick-n-dirty script to help manage your certs (especially if they expire every 7 days like personal Kerberized CA (KCA) certs do at Fermilab):

#!/bin/bash

DB="-d sql:$HOME/.pki/nssdb"

case "$1" in

list)

certutil $DB -L

;; details)

certutil $DB -L -n "$2"

;; add-ca)

certutil $DB -A -t "$2" -n "$3" -i "$4"

;; add)

pk12util $DB -i "$2"

;; del)

certutil $DB -D -n "$2"

;;

echo "Usage [list|details|add-ca|add|del]" echo " \"details\" requires <nickname>" echo " \"add-ca\" requires <trustargs> <nickname> <certificate filename>" echo " \"add\" requires <filename>" echo " \"del\" requires <nickname>" exit 1

;;

thanks for the info

There is a tool in Mozilla repository for OpenSUSE called nss-manager that is a standalone GUI for managing NSS certificates.

You can also find it on http://software.opensuse.org/search

I'm on 64-bit Karmic and am having the same problem identified above (the less than illuminating "certutil: function failed: security library: invalid arguments" error). Short of peeking inside the code, does anyone know a way to coerce certutil to spit-out more error details? I'd really like to get this fixed, but I've got next to no information to work with at the moment... It's frustrating ><

I have no comments at present.

It's so complex!

Thanks to the Chromium dev and contributors. keep up the work on documentation.

nicolas@nicolas-desktop:/home/nicolas$ certutil -d sql:/home/nicolas/.pki/nssdb -L

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

That's all I get. Something must be wrong. Where are all the certificates like the CA from VeriSign? e.g.? They must be definitely available somewhere in my system as my banking site works without complaints ...

It's not mentioned here, but exporting a certificate to a PKCS12 file is easy:

pk12util -d sql:$HOME/.pki/nssdb -o out.p12 -n "certificate name"

Ugh. What about non-technical people using Linux! I'm utterly confused!

A fix for the certutil: function failed: security library: invalid arguments. error:

The database directory is apparently corrupted.

Move it to some backup location, then recreate it:

mv ~/.pki/nssdb ~/.pki/nssdb.backup
mkdir ~/.pki/nssdb
chmod 700 ~/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -N

Then try listing contents (should be empty):

certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Now you should be able to add certs as documented.

At least create a graphical front-end to the NSS shared DB, as part of the Chrome browser.

I'm trying to delete two certs that I have, however, I'm unable to enter the correct certificate name (if any). I have:

$ certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

NSS Certificate DB:http://csarven.ca/#i's Not a Certification Authority ID u,u,u NSS Certificate DB:http://csarven.ca/#i's Not a Certification Authority ID u,u,u

Not sure what to put for cert-name here:

certutil -d sql:$HOME/.pki/nssdb -D -n

I have tried the CN, which is http://csarven.ca/#i, however that didn't work. Is there a way to get this info?

My short adventure using this with SAP's site to set up a client cert: The browser downloads a 'cert file' that is actually a multipart mime message. Once I used munpack to extract the cert, the certutil command above worked to import it. I hope that's helpful to someone!

Adding a personal certificate that way works, but be wary - it is a major SECURITY RISK!!! You're precious private key is not encrypted this way. Anyone that could copy your $HOME/.pki/nssdb dir can authenticate as YOU! This is absolutely a no-go for using Chrome with Internet banking or similar.

Agreed by some that posted.. This is complex. Can someone create a script to help with this?

Why can't the Chromium developers simply use whatever method Firefox uses? Why is this so hard. Is not Firefox source code available under a license that permits another free browser such as Chrome to use it.... This is an unacceptable situation given the capacity for Google to create what we need!

They are using what FireFox? uses. All the commands here are from Mozilla tools. They simply didn't spend resources in providing it a Chrome/ium GUI.

When I use firefox, I can use my CAC (government issued smart card) to access websites because Firefox presents me with a PIN prompt and certificate selection (via libcoolkeypk11.so). Chrome(ium) does none of that so what exactly are they using? Chrome(ium) developers can't create a connection to libcoolkeypk11.so or can't create a couple of dialogs? This is crazy!

I found this method for adding self signed certificates with Ubuntu (assume it will work with other distros.

http://blog.avirtualhome.com/2010/02/02/adding-ssl-certificates-to-google-chrome-linux-ubuntu/

Worked for me first time :-) Why cant google add this little script to add a self signed cert? Maybe someone (I could try) write a plugin to do this.

#!/bin/sh
#
# usage:  import-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
exec 6>&1
exec > $REMHOST
echo | openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "$REMHOST" -i $REMHOST 
exec 1>&6 6>&-

If you get an error with the above method try removing any old certs and re-try:

certutil -D -n <the name> -d sql:$HOME/.pki/nssdb

For those who still encounter problems with the verification of self-signed server certificates, it appears that chromium expects the certificate to include the URL of the server under "Common Name (CN". This is a little bit surprising since openssl would suggest "(eg, YOUR name)" here.

I found a pretty easy way. Add your certificates into Firefox. There is a pretty good GUI. Then according to this howto convert and move FF database info .pki/nssdb one.

https://wiki.mozilla.org/NSS_Shared_DB_Howto

Ok, so I'm going to try and make this as nice as possible. The steps above are very frustrating for Fedora 14.

Step 1: yum install nss-tools Results: successful

Step 2: List all certificates certutil -d sql:$HOME/.pki/nssdb -L Result: FAIL

Notes: certutil: function failed: security library: bad database. rpm -qa | grep nss-tools nss-tools-3.12.8-2.fc14.x86_64

Comment: Does this really need to be this difficult to simply import a certificate??

Google Chrome Stable 7.0.517.44 , Ubuntu 10.04 OK I managed to get this working using the above instructions. To get the certificate I clicked the proceed anyway button on the red warning page, then clicked on the crossed out https: in the url> Certificate Information>Details>Export...>PKCS#6, certificate chain>Save Then:

sudo apt-get install libnss3-tools
certutil -d sql:$HOME/.pki/nssdb -L
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <nickname> -i <filename>
#verify the certificate's in there
certutil -d sql:$HOME/.pki/nssdb -L

Now restart Chrome (I did it without restarting and it didn't work)

I got an Error 207 (net::ERR_CERT_INVALID) from Chromium 8.0.552.208 when importing an S/MIME Certificate (from startssl.com).

The keys were generated and stored in key4.db but startssl wouldn't deliver (or recreate) the certificate again without the key into firefox. Used the above Howto at mozilla.org and made the two links and voilà.

That's nice tgulacsi78. Thanks. I added to it somewhat to create a script:

#!/bin/bash 
echo QUIT | openssl s_client -connect "$1":443 | sed -ne '/BEGIN CERT/,/END CERT/p' > /tmp/"$1" 
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "$1" -i /tmp/"$1" && rm /tmp/"$1"

I saved that in "addcert.sh". Usage is: addcert.sh <site_to_add>

e.g. addcert.sh test.com

I would be quite nice to your customers to "reinvent the wheel"! Mozilla didn't mind that and gave us nice tools in their products...

I see, you don't want to reinvent the whell. But the whell doesn't exist yet. There isn't a graphical front-end to NSS command line tool.

On Ubuntu Karmic, I didn't see any built-in certificates with this command:

certutil -d sql:$HOME/.pki/nssdb -L

However, with the "-h all" option I could see all the certs. i.e. this works if you can't see any built-in certs:

certutil -d sql:$HOME/.pki/nssdb -L -h all

What a massive , gigantic stuff-around this all is and the reason that 'nix OS's haven't seen uptake.

nss prefix not needed for gentoo ~amd64

certutil -d sql:$HOME/.pki/nssdb -L does not list any certificates. Just a "Certificate Nickname, Trust Attributes" header on my Arch system. :(

.pki/ .pki/nssdb .pki/nssdb/key4.db .pki/nssdb/cert9.db .pki/nssdb/pkcs11.txt

2 ear9mm: yeah! script (Oct 23, 2010) do work for selfsigned server certs (instead of -t "P,,")

Oh come on. Where do we get a proper CERT management ?! I mean a window-based and not a console one....

vaya puta mierda

This is fixed in Unstable version (http://www.chromium.org/getting-involved/dev-channel). Not sure about Beta.

Can you say a few words on how this is fixed, e.g. is there going to be a GUI?

Thanks!

This has to be a joke! I'm testing Chromium, and it took me less than 10 minutes to determine that if it lacks such a simple thing as this, it simply doesn't work for me.

Just to be fair, and end this thread on a positive note, after having gone to NSS hell and back I just simply downloaded the latest OpenSUSE Chrome RPM and it turns out to have a built-in certificate manager, having the regular type of functionality I'd been waiting for. Big thanks to Google folks, looks great.

pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12

@marc are you kidding? There is no SSL Cert Manager (Using Chromium 14.0.803.0)

@t4cghcif : there is, atleast under 14.0.821. wrench > preferences > under the hood > manage certificates

Looks like this is a problem:

[speeddy@tomcat chrome]$ ./google-chrome [8267:8303:12145525686:ERROR:x509_certificate_nss.cc(808)] CERT_PKIXVerifyCert for wiki.alertlogic.net failed err=-8179 [8267:8302:12145677990:ERROR:x509_certificate_nss.cc(808)] CERT_PKIXVerifyCert for nms.alertlogic.net failed err=-8179 this = 182618432 SetHotKey? true!

Imported keys by telling firefox to remember the exception, then copying the stores from ~/.mozilla/firefox/(profile.name) to /etc/pki/nssdb and ~/.pki/nssdb.

Then I ran the above command which started Chrome but did not allow the pages to work.

Note: google chrome is too stupid to use the cert it is given by the remote website if there's an old revoked one in .pki. Once a saved pki is revoked, google chrome is dead in the water. Clear out the cert, or more easily just rm -rf the whole .pki subdirectory and google will start behaving properly.