Managing security certificates from the console - on Windows, Mac OS X and Linux

Tue, Jun 5, 2012
code ssl certificates console mac-osx windows linux firefox

For me the last two weeks or so have involved a lot of wrestling with SSL certificates. One of the things that took some time to figure out was how to piggy-back on the tools provided by different Operating Systems to manage certificates. We did not want to rewrite NSS. Luckily for us, all the major OSes provide tools to manage certificates from the command line.

Windows

Windows provides two ways to deal with certificates from the command line - Certutil and certmgr.exe. We decided to go with Certutil because it is present out of the box on Windows 7 and Windows Server 2008, while certmgr.exe is part of the .Net runtime. This blog post will deal with Certutil.

Adding a certificate

certutil.exe -addstore -user root foo.crt

This will install the foo.crt certificate to the Trusted Root Certification Authorities store for the current user.

View certificates in a store

certutil.exe -viewstore -user root

This will list all the certificates in the Trusted Root Certification Authorities store for the current user. One drawback is that it throws up a Window to list as opposed to using STDOUT for output.

List certificates in a store

certutil.exe -user -store root

This will list all the certificates in the Trusted Root Certification Authorities store for the current user to STDOUT.

There are more detailed explanations here.

Mac OS X

Mac OS X ships the security tool to let the user manage certificates and keychains.

Adding a certificate

security add-certificate foo.crt
security add-trusted-cert foo.crt

The first line will add foo.crt to the current user’s keychain, while the second line ensures that the newly added certificate is trusted. This would mean that the certificate will be trusted for SSL, EAP and Code Signing. To get more fine grained control over what to trust the certificate for, the -p (policy) flag can be used.

security add-trusted-cert -p ssl foo.crt

This will trust the certificate only for SSL interactions.

Listing certificates

security find-certificates -a -e [email protected]

This would list all the certificates where e-mail address of the issuer [email protected]. Other fields that can be used for matching include -c (name).

Linux

On Linux, the best we could find was certutil which is part of Mozilla’s NSS project.

Adding a certificate

certutil -A -d sql:~/.pki/nssdb -t C -n "Certificate Common Name" -i foo.crt

This will add foo.crt to the certificate database ~/.pki/nssdb. This is where applications like Chromium look for certificates.

Listing certificates

certutil -L -d sql:~/.pki/nssdb -n "Certificate Common Name"

This will list the certificates in the ~/.pki/nssdb with the common name “Certificate Common Name”.

Firefox

While the above steps work fine for pretty much all applications on the three OSes, Firefox does things in it’s own way. Firefox implements NSS and hence does not look at the certificates the OS knows about. One solution to manage certificates from the command line will be to install certutil and point it at the cert.db certificate database in your Firefox profile directory. Alternatively, one could do the following

  1. Launch Firefox with a blank profile
  2. Accept the certificates we are interested in.
  3. Save a copy of the cert8.db file.
  4. Import this database to the profiles we wish to run Firefox on.

While copying the database is not as clean a solution as using certutil, we decided to go with the second option because there is no guarantee that certutil will be present on the user’s box, especially if they are running Windows or Mac OS X. And we had a fairly high control over the Firefox profiles.