LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-30-2011, 09:52 PM   #1
dudeman41465
Member
 
Registered: Jun 2005
Location: Kentucky
Distribution: Ubuntu
Posts: 794

Rep: Reputation: 56
DoD Root Certificate Installation in Linux


Not sure how many of you this will apply to. Many of you may notice that, if you run Linux and use Google Chrome, you get prompted to "Proceed Anyway" any time you try to go to a DoD site, and some of them won't open at all. I've tried various methods of importing the certificates using Google Chrome and it never worked. The way I managed to get it to work was to use certutil to import the certificates into your personal PKI store so that not only Google Chrome, but other applications have trusted access to the root certificates. I read about it on this web-page. I wrote a short bash script to automate the process for you, and thought I would share with you guys.

Download the Script Here

Here's the source code of it if you just want to run the commands yourself:
Code:
#!/bin/bash
#DoD Root Certificate Installer Version 1
#Downloads and installs the DoD root certificates so browsers like Google Chrome can open and use DoD sites without bugging the hell out of you.
#Written for use on a Debian system.  If you're not using Debian the commands are still relevant, just make sure you have the program certutil available, and remove the part that installs libnss3-tools
#Marcus Dean Adams (marcusdean.adams@gmail.com) 30 September 2011

#Makes sure the script is running as a normal user, so the certificates will get imported into their personal certificate store, and not the one for the root account.
if [[ $EUID = 0 ]]; then
   echo "This script must be run as your normal user account, if you REALLY want to import these certs as root, just edit this script and remove this whole section." 1>&2
   exit 1
fi

#Installs libnss3-tools on Debian based systems; this package provides the certutil functionality.
echo "Installing pre-requisite..."
echo ""
su-to-root -c "apt-get -y install libnss3-tools"

#This makes a temporary folder in the $HOME of the current user named .dodcerts, downloads the certificates to there, installs them, then removes the folder.
echo "Downloading and installing certificates..."
mkdir $HOME/.dodcerts
cd $HOME/.dodcerts
wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.p7b
wget http://dodpki.c3pki.chamb.disa.mil/dodeca.p7b
wget http://dodpki.c3pki.chamb.disa.mil/dodeca2.p7b
for n in *.p7b; do certutil -d sql:$HOME/.pki/nssdb -A -t TC -n $n -i $n; done
rm -rf $HOME/.dodcerts

#Exits properly.
exit
 
Old 09-30-2011, 10:03 PM   #2
jhwilliams
Senior Member
 
Registered: Apr 2007
Location: Portland, OR
Distribution: Debian, Android, LFS
Posts: 1,168

Rep: Reputation: 211Reputation: 211Reputation: 211
Hi Marcus,

Does this approach carry over to certificate chains (*.crt) that may be more prevalent in the private sector? You describe a general problem - I am trying to find a path to tune the solution to my specific situation.

Thanks,
Jameson
 
Old 09-30-2011, 10:54 PM   #3
dudeman41465
Member
 
Registered: Jun 2005
Location: Kentucky
Distribution: Ubuntu
Posts: 794

Original Poster
Rep: Reputation: 56
I don't see anything in the help that says it won't, and there's no man page. This is the first time I've used this utility, so I've not had the opportunity to try it with various certificate types, however apparently Mozilla includes it with some of their software and they provided this example command to import a .crt file. After some Googling I can't find much official documentation for certutil, but RedHat had this to offer, and here's Mozilla's link.

Code:
certutil -A -n jsmith@netscape.com -t "p,p,p" -i mycert.crt -d certdir
 
Old 10-01-2011, 12:38 AM   #4
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid
Posts: 4,734
Blog Entries: 12

Rep: Reputation: 463Reputation: 463Reputation: 463Reputation: 463Reputation: 463
CommonAccessCard - https://help.ubuntu.com/community/CommonAccessCardv

Covers a few other ways to use them.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Trusted Root Certificate Program fryeguy Linux - Security 4 08-06-2008 01:00 PM
LXer: Root Certificate Programs - The root of all trust LXer Syndicated Linux News 0 12-15-2007 05:51 AM
Root certificate problems in XP/Vista SlowCoder General 0 07-24-2007 07:59 AM
Maximum PKI Root Certificate for IE metallica1973 Linux - Security 2 05-30-2007 07:36 PM
MS ca root Certificate conversion metallica1973 Linux - Wireless Networking 0 10-11-2006 08:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration