How to tell chromium to truse a sites certificate?

[Marco]

Hi,

I regularly visit a site which uses a self-signed certificate
(https://awesome.naquadah.org/bugs/). Every time I visit the site a
message pops up:

The site's security certificate is not trusted!

You attempted to reach awesome.naquadah.org, but the server
presented a certificate issued by an entity that is not trusted by
your computer's operating system. This may mean that the server
has generated its own security credentials, which Chromium cannot
rely on for identity information, or an attacker may be trying to
intercept your communications.

In the settings chrome://chrome/settings/certificates I selected the
certificate and clicked “Trust this certificate for identifying
websites” and the “Untrusted” banner vanished. However, the
mentioned message still pops up every time.

How can I tell chromium to trust the sites certificate?

I use version 21.0.1180.89


Marco

[krtulmay]

If a publicly accessible website uses SSL, they should pay the $10 to get a valid SSL cert.

[Marco]

2012-10-12 krtulmay:

Hi krtulmay,

> If a publicly accessible website uses SSL, they should pay the $10 to get a
> valid SSL cert.

That's a valid point, indeed. However, I trust the self-signed
certificate and I want my browser to do the same. I just don't know
how to add it as trusted.


Marco

[Tibor]

Will you pay that $10? If so then I'll send you the list of domains I need certificate for :-)

Not to mention that for development you'd need a wildcard or multi-subdomain certificate, what are more than $10.

[krtulmay]

Why would you ask me to pay for the SSL cert?  Purchasing valid SSL certs for publicly accessible SSL websites is just part of the administrative costs involved in providing those site services.

Most development sites are internal only.  If you wish to get valid SSL certs for those as well, that's your choice.

@Tibor, if you have a list of PUBLICLY accessible domains you administer that you need certs for, whether you want single or multi-subdomain certs, it's part of your administrative costs for those domains to get valid SSL certs.

Training users to trust public-facing, self-signed certs and wanting the browser to also trust them is a bad thing to want.

[Marco]

2012-10-13 krtulmay:

> Training users to trust public-facing, self-signed certs and wanting the
> browser to also trust them is a bad thing to want.

I am not trying to train users in any way. All I want is to add this
exception. Fact is that I trust the certificate and I want chromium
to do the same. It's annoying to get this warning every time.

On Firefox I have a button “I understand the risk” and then I can
add “Add exception permanently”. That is the functionality I am
looking for. How to do that in Chromium?


Marco

[PhistucK]

What is your platform?

I am not sure about Chrom(ium) OS, but in other platforms, you should make your operating system trust the certificate and the warning should go away.

☆PhistucK

Marco


--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
    http://groups.google.com/a/chromium.org/group/chromium-discuss

[Marco]

2012-10-14 PhistucK:

> What is your platform?

Debian GNU/Linux (unstable)

> I am not sure about Chrom(ium) OS, but in other platforms, you should make
> your operating system trust the certificate and the warning should go away.

Frankly, I didn't even know that was possible. I always thought it's
the browsers business. In Firefox at least it works like that. Do
you know, by any chance, how do do that?


Marco

[PhistucK]

I searched for "trust certificate debian" and found this page -

http://unix.stackexchange.com/questions/17748/trust-a-self-signed-pem-certificate

I am not a Linux user, so I do not know, others better chime in.

☆PhistucK

Marco

[Marco]

2012-10-14 PhistucK:

Hi PhistucK,

> I searched for "trust certificate debian" and found this page -
> http://unix.stackexchange.com/questions/17748/trust-a-self-signed-pem-certificate

Thanks for the link. But I think that generating my own certificate
authority just to get rid of this warning is overkill.

Marco

[PhistucK]

I believe this "overkill" is a built in security feature of any operating system.

☆PhistucK

Marco

[Marco]

2012-10-14 PhistucK:

> I believe this "overkill" is a built in security feature of any operating
> system.

Back to my initial problem. In Firefox I can click “Add exception”
and I am done. Is there a possibility to do the same in chromium?

As mentioned in my first post I clicked “Trust this certificate for
identifying websites” and the “Untrusted” banner vanished. This
means chromium can be configured to trust a particular certificate.
I just doesn't work, the warning still appears. Apparently I am not
doing it right.


Marco

[Pavel Ivanov]

On Sun, Oct 14, 2012 at 3:58 AM, Marco <net...@lavabit.com> wrote:
> 2012-10-14 PhistucK:
>
>> I believe this "overkill" is a built in security feature of any operating
>> system.
>
> Back to my initial problem. In Firefox I can click “Add exception”
> and I am done. Is there a possibility to do the same in chromium?

No, there's no such possibility in Chromium.

> As mentioned in my first post I clicked “Trust this certificate for
> identifying websites” and the “Untrusted” banner vanished. This
> means chromium can be configured to trust a particular certificate.
> I just doesn't work, the warning still appears. Apparently I am not
> doing it right.

You can make "Untrusted" banner vanish and not appear again only for
the duration of one session. After Chromium restarts banner will
appear again.


Pavel

[Marco]

2012-10-14 Pavel Ivanov:

Hi Pavel

> > Back to my initial problem. In Firefox I can click “Add exception”
> > and I am done. Is there a possibility to do the same in chromium?
>
> No, there's no such possibility in Chromium.

Thanks for that straightforward answer.

> > As mentioned in my first post I clicked “Trust this certificate for
> > identifying websites” and the “Untrusted” banner vanished. This
> > means chromium can be configured to trust a particular certificate.
> > I just doesn't work, the warning still appears. Apparently I am not
> > doing it right.
>
> You can make "Untrusted" banner vanish and not appear again only for
> the duration of one session. After Chromium restarts banner will
> appear again.

I rarely have a reason to restart my browser, so I didn't notice
that. Thanks for pointing that out.


Marco

[Tibor]

On Sunday, October 14, 2012 12:22:28 AM UTC+1, krtulmay wrote:

Why would you ask me to pay for the SSL cert?  Purchasing valid SSL certs for publicly accessible SSL websites is just part of the administrative costs involved in providing those site services.

Because you stated that they should buy a certificate because it's (only) $10USD. If you take this issue so easy I assume money isn't a problem for you as opposed to many others.

 

Most development sites are internal only.  If you wish to get valid SSL certs for those as well, that's your choice.

Most but not all. And the choice of many is that they don't want to spend any money on those websites.

If self signed certificates are valid browsers should be able to handle them as valid (of course not by default). 

 

@Tibor, if you have a list of PUBLICLY accessible domains you administer that you need certs for, whether you want single or multi-subdomain certs, it's part of your administrative costs for those domains to get valid SSL certs.

I'm using such websites not administer them.

 

Training users to trust public-facing, self-signed certs and wanting the browser to also trust them is a bad thing to want.

There are users and users. 

Some have no idea what SSL and certificates are, so whatever Chrome does they will enter their PIN code on a fake website with a trusted but fake SSL certificate.

Some know what a self signed certificate is, so they know what it means to instruct the browser to trust it.

BTW, what do you call public website?

A website having N+ users?

A website what shows up in Google search results?

A website what can be accessed from internet?

What about Cpanel, Plesk and similar sites for hosting packages?

These can be accessed by anybody who knows the IP address or naming pattern, but using paid certificates instead of self issued ones would make them too expensive, and probably you couldn't get a certificate for an IP address at all.

Other issue is that in many cases a $10 one domain cert wouldn't be enough, a wildcard cert would be needed.

There are many other cases when there are publicly accessible websites what are used by many people but are not generating that much revenue so that it would be profitable to buy a certificate.

[Tibor]

The problem with this approach is that the root (CA) certificate is needed for this and some organizations using self signed certificates refuse to publish those. Back to square one :-|

[Deleterios]

Hi,

On Friday, October 12, 2012 6:43:26 PM UTC+2, Marco wrote:

How can I tell chromium to trust the sites certificate? 

Did you try this: http://code.google.com/p/chromium/wiki/LinuxCertManagement ? 

[Marco]

2012-10-15 Deleterios:

Hi Deleterios

> > How can I tell chromium to trust the sites certificate?
> >
>
> Did you try this:
> http://code.google.com/p/chromium/wiki/LinuxCertManagement ?

Whow!! I executed this command:

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," \
-n <certificate nickname> -i <certificate filename>

and it works perfectly, no annoying message any more. The setting is
persistent across restarts. Such a simple solution. You're my hero!
Thanks a million!


Marco