How do I set up Client Authentication for Google Chrome on Linux?

Problem

How do I set up Client Authentication for Google Chrome on Linux?

Resolution

Google Chrome uses the built in certificate store of the operating system it is installed in.  On Linux, it uses the NSS Shared DB that is located in the hidden $HOME/.pki folder.  In order to manipulate the certificates in this database, you must use the command line tool certutil and pk12util.

First you must install the necessary tools.  The command to obtain the tools differs based on your Linux distribution.

Debian/Ubuntu: sudo apt-get install libnss3-tools
Linux Mint: sudo apt-get install libnss3-tools
Fedora: su -c "yum install nss-tools"
Gentoo: su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use && emerge dev-libs/nss" Note: You will need to launch all commands on Gentoo with the nss prefix, e.g., nsscertutil.
Opensuse: sudo zypper install mozilla-nss-tools

First you want to view which Root certificates your system trusts.  You can do this by navigating to /etc/ca-certificates.conf.  Search to see if you have the following:

QuoVadis Root CA
QuoVadis Root CA 2
QuoVadis Root CA 3

Note: These are generally built into Linux by default and pulled from directly from Mozilla.

Obtain a PKCS#12 file (*.pfx or *.p12) of the certificate you will use for authentication.  When the file is in your computer, you must run the following command in Terminal:

pk12util -d sql:$HOME/.pki/nssdb -i [path_and_name_to_PKCS#12_file.p12]

You should receive a message in terminal that says, "pk12util: PKCS12 IMPORT SUCCESSFUL".

In order to view your personal certificates, you must run the following command in terminal:

certutil -d sql:$HOME/.pki/nssdb -L

You should completely close all instances of Google Chrome.  This will refresh the certificates in use by the browser.  When you navigate to the website that requires certificate authentication, it should prompt you to select one of your installed certificates.

Add Feedback