9

I have a gitlab server running in our company for which I have obtained a certificate signed by our company's CA. Since I can access the site from a machine within our domain without getting SSL errors, I'm assuming, that the server is configured correctly.

When working with my laptop, I of course did not have the company CA certificate. For example openssl s_client -connect my.git.server:443 would return an "Error 19, self signed certificate in chain":

0 s:/C=REDACTED
   i:/DC=REDACTED/DC=REDACTED/CN=IssuingCA
 1 s:/DC=REDACTED/DC=REDACTED/CN=IssuingCA
   i:/CN=RootCA
 2 s:/CN=RootCA
   i:/CN=RootCA

So I accessed the server and exported the root CA cert. I then added it to my system store:

sudo su
cp RootCA /usr/local/share/ca-certificates/extra/RootCA.crt
update-ca-certificates

Now openssl accepts it just fine (return code 0, ok). However, Google Chrome still complains:

This server could not prove that it is my.git.server; its security certificate is not trusted by your computer's operating system.

Were it not for this message, I'd have figured that Chrome has its own certificate store and doesn't care for the OS. But it seems quite clear that the certificate is trusted by the OS and Chrome refers to it.

I am running Ubuntu 18.04. Is this just a quirk of Chrome that it doesn't respect the system certs, or am I missing something?

LLlAMnYP
  • 213
  • 1
  • 2
  • 7
  • Chrome _does_ have its own certificate store. – Michael Hampton Dec 27 '18 at 13:22
  • @MichaelHampton There's no doubt about that, but does it also use the system store? – LLlAMnYP Dec 27 '18 at 13:26
  • Again, Chrome uses its own certificate store. – Michael Hampton Dec 27 '18 at 13:27
  • @MichaelHampton sorry, it wasn't clear that it *only* uses its own store. If that's the case, this is an answer I could accept. – LLlAMnYP Dec 27 '18 at 13:29
  • 1
    [This page](https://www.chromium.org/Home/chromium-security/root-ca-policy) tells Chrome uses NSS (Firefox does this, too, FWIW) so I'd say this all may depend on how NSS is configured on your Ubuntu. Still, [this](https://askubuntu.com/a/248326) hints at that there is simply is no NSS-compatible system store on Ubuntu (the `/etc/ca-certificates` hierarchy is for software using OpenSSL (and may be also GnuTLS, I dunno)). So, while I don't have a definite answer for you, those are the pointers to investigate. – kostix Dec 31 '18 at 18:08

1 Answers1

25

In Ubuntu, Chrome uses its own certificate store. You can import your RootCA.crt in Chrome's

settings -> privacy and security -> manage security keys -> manage certificates -> authorities

Note that updating ubuntu system certificate store by update-ca-certificates has no effect on Chrome.

Kelvin
  • 366
  • 4
  • 4
  • spent about 2 hours trying to figure out why Chrome is ignoring system certificates, now it is clear, thank you! – Victor Di Nov 11 '21 at 14:04
  • and to install the certificate via the command line you may use: sudo apt-get install libnss3-tools certutil -d sql:$HOME/.pki/nssdb -A -t "CP,CP," -n SomeName -i cert.crt – shatulsky Jul 20 '23 at 14:13