We have moved to a new Sailfish OS Forum. Please start new discussions there.
37

Browser personal certificates import

asked 2013-12-25 01:08:05 +0200

zlatko gravatar image

updated 2014-03-24 11:34:03 +0200

An option to import and use security certificates in browser.

EDIT(1.0.4.20): I am still stuck at the same problem, not being able to select the certificate I have imported and is present in DB. Hope someone from Jolla(@veskuh ?) is paying attention to this issue.

edit retag flag offensive close delete

Comments

If you have developer mode enabled you can work around this and import certificates manually into both the OS and the browser. Nevertheless a proper solution would be preferred.

tbr ( 2013-12-25 16:03:25 +0200 )edit

@tbr Where are the browser certificates stored? How can I import them? Is it just simple copy to dedicated directory?

zlatko ( 2013-12-25 17:03:51 +0200 )edit

The little strange thing: if you want to import a *.pem file to install it in the browser, you get a popup to select in which area you will trust (e-mail, code signing, server). But you never could see the certificate or to confirm it, because the buttons are not clickable ;)

mono ( 2013-12-25 23:08:12 +0200 )edit

@mono How you even attempt import? I haven't fund such an option in Jolla native browser.

zlatko ( 2013-12-26 09:04:50 +0200 )edit

@zlatko: I did not attempt to import a personal client certificate, but a simple certification authority certificate like http://www.cacert.org/certs/root.crt . If you simple open it with the browser, you will get http://paste.fls-wiesbaden.de/2y1tns for example. But you cannot confirm the dialog.

mono ( 2013-12-26 20:54:35 +0200 )edit

1 Answer

Sort by » oldest newest most voted
10

answered 2014-01-01 18:21:42 +0200

pcfe gravatar image

updated 2014-01-01 18:27:44 +0200

Try this and report back please.

For this specific question (import into the browser), the 2 steps as user nemo should be sufficient. The 2 steps as user root are only necessary if you intend to use the imported certificate(s) with the system wide NSSdb.

preliminary steps

  • Download your certificate(s) to the phone.
  • Install nss-tools (pkcon install nss-tools)

Import, name and trust the certificate(s)

You can do theses steps either in developer mode, in the Terminal, on the phone itself, or you can ssh to the phone (also needs dev mode IIRC). The browser can be running while you do this, but for it to use the new CA certificate, I had to end it with a swipe down and re-launch it.

[nemo@localhost ~]$ certutil -A -n "CAcert root" -t "TC,TC,TC" -d /home/nemo/.mozilla/mozembed/ -i /home/nemo/Downloads/root.crt 
[nemo@localhost ~]$ certutil -A -n "CAcert class 3" -t "TC,TC,TC" -d /home/nemo/.mozilla/mozembed/ -i /home/nemo/Downloads/class3.crt

This should import (in this case both the CAcert root and class 3) a CA certificate and trust it[1] I did the same as root to cover the system wide NSSdb

[root@localhost ~]# certutil -A -n "CAcert root" -t "TC,TC,TC" -d /etc/pki/nssdb -i /home/nemo/Downloads/root.crt 
[root@localhost ~]# certutil -A -n "CAcert class 3" -t "TC,TC,TC" -d /etc/pki/nssdb -i /home/nemo/Downloads/class3.crt

[1] see the certutil --help output. when choosing your trust arguments.

   -t trustargs      Set the certificate trust attributes:
                          trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,
                          and z is for code signing. Use ,, for no explicit trust.
                          p      prohibited (explicitly distrusted)
                          P      trusted peer
                          c      valid CA
                          T      trusted CA to issue client certs (implies c)
                          C      trusted CA to issue server certs (implies c)
                          u      user cert
                          w      send warning
                          g      make step-up cert

Only the trusts that make sense end up in your DB. In this case that is CT,C,C

edit flag offensive delete publish link more

Comments

(1/2)@pcfe I managed to import personal(.p12) certificate using pk12util from nss-tools(thank you fro the hint!). I used following command:

pk12util -i cert.p12 -d /home/nemo/.mozilla/mozembed/
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL

I see cert in DB.

zlatko ( 2014-01-01 20:58:27 +0200 )edit

(2/2) But when I try to use it in browser going to the cert requiring site, I got prompted to select a cert to use, but there is empty list and I can not select anything. The prompt dialog is strange, very tiny and hard to navigate. May be someone from Jolla can give a hint?

zlatko ( 2014-01-01 21:02:28 +0200 )edit

@zlatko Did you do the import with pk12util as user nemo (correct) or as root (the browser might be unable to read the file)?

Can you please give us the output of

ls -l /home/nemo/.mozilla/mozembed/

pcfe ( 2014-01-02 14:24:09 +0200 )edit

@pcfe I imported the cert as nemo, I can see it as an entry in cert8.db(certutil -L). I can not post the entire list of files in mozembed due char. num. restrictions here, but:

[nemo@localhost ~]$ ls -l .mozilla/mozembed/
-rw------- 1 nemo nemo   98304 2014-01-01 20:30 cert8.db
zlatko ( 2014-01-02 21:02:21 +0200 )edit
1

also, don't forget pki openssl based programs

AL13N ( 2014-01-12 12:48:43 +0200 )edit
Login/Signup to Answer

Question tools

Follow
12 followers

Stats

Asked: 2013-12-25 01:08:05 +0200

Seen: 2,219 times

Last updated: Mar 24 '14