asked 2013-12-25 01:08:05 +0300
An option to import and use security certificates in browser.
EDIT(1.0.4.20): I am still stuck at the same problem, not being able to select the certificate I have imported and is present in DB. Hope someone from Jolla(@veskuh ?) is paying attention to this issue.
answered 2014-01-01 18:21:42 +0300
Try this and report back please.
For this specific question (import into the browser), the 2 steps as user nemo should be sufficient. The 2 steps as user root are only necessary if you intend to use the imported certificate(s) with the system wide NSSdb.
preliminary steps
pkcon install nss-tools)Import, name and trust the certificate(s)
You can do theses steps either in developer mode, in the Terminal, on the phone itself, or you can ssh to the phone (also needs dev mode IIRC). The browser can be running while you do this, but for it to use the new CA certificate, I had to end it with a swipe down and re-launch it.
[nemo@localhost ~]$ certutil -A -n "CAcert root" -t "TC,TC,TC" -d /home/nemo/.mozilla/mozembed/ -i /home/nemo/Downloads/root.crt
[nemo@localhost ~]$ certutil -A -n "CAcert class 3" -t "TC,TC,TC" -d /home/nemo/.mozilla/mozembed/ -i /home/nemo/Downloads/class3.crt
This should import (in this case both the CAcert root and class 3) a CA certificate and trust it[1] I did the same as root to cover the system wide NSSdb
[root@localhost ~]# certutil -A -n "CAcert root" -t "TC,TC,TC" -d /etc/pki/nssdb -i /home/nemo/Downloads/root.crt
[root@localhost ~]# certutil -A -n "CAcert class 3" -t "TC,TC,TC" -d /etc/pki/nssdb -i /home/nemo/Downloads/class3.crt
[1] see the certutil --help output. when choosing your trust arguments.
-t trustargs Set the certificate trust attributes:
trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,
and z is for code signing. Use ,, for no explicit trust.
p prohibited (explicitly distrusted)
P trusted peer
c valid CA
T trusted CA to issue client certs (implies c)
C trusted CA to issue server certs (implies c)
u user cert
w send warning
g make step-up cert
Only the trusts that make sense end up in your DB. In this case that is CT,C,C
(1/2)@pcfe I managed to import personal(.p12) certificate using pk12util from nss-tools(thank you fro the hint!). I used following command:
pk12util -i cert.p12 -d /home/nemo/.mozilla/mozembed/
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
I see cert in DB.
zlatko ( 2014-01-01 20:58:27 +0300 )edit(2/2) But when I try to use it in browser going to the cert requiring site, I got prompted to select a cert to use, but there is empty list and I can not select anything. The prompt dialog is strange, very tiny and hard to navigate. May be someone from Jolla can give a hint?
zlatko ( 2014-01-01 21:02:28 +0300 )edit@pcfe I imported the cert as nemo, I can see it as an entry in cert8.db(certutil -L). I can not post the entire list of files in mozembed due char. num. restrictions here, but:
[nemo@localhost ~]$ ls -l .mozilla/mozembed/
-rw------- 1 nemo nemo 98304 2014-01-01 20:30 cert8.db
Asked: 2013-12-25 01:08:05 +0300
Seen: 2,172 times
Last updated: Mar 24 '14
If you have developer mode enabled you can work around this and import certificates manually into both the OS and the browser. Nevertheless a proper solution would be preferred.
tbr ( 2013-12-25 16:03:25 +0300 )edit@tbr Where are the browser certificates stored? How can I import them? Is it just simple copy to dedicated directory?
zlatko ( 2013-12-25 17:03:51 +0300 )editThe little strange thing: if you want to import a *.pem file to install it in the browser, you get a popup to select in which area you will trust (e-mail, code signing, server). But you never could see the certificate or to confirm it, because the buttons are not clickable ;)
mono ( 2013-12-25 23:08:12 +0300 )edit@mono How you even attempt import? I haven't fund such an option in Jolla native browser.
zlatko ( 2013-12-26 09:04:50 +0300 )edit@zlatko: I did not attempt to import a personal client certificate, but a simple certification authority certificate like http://www.cacert.org/certs/root.crt . If you simple open it with the browser, you will get http://paste.fls-wiesbaden.de/2y1tns for example. But you cannot confirm the dialog.
mono ( 2013-12-26 20:54:35 +0300 )edit