Building on dwmw2's answer, you can actually tell applications that use NSS for its certificate management to use the system trust store.
libnss3
by default ships with a read-only set of root CA certificates (libnssckbi.so
), so most of the time you need to manually add them yourself to the local user trust store located in $HOME/.pki/nssdb
. p11-kit
offers a drop-in replacement for libnssckbi.so
that acts as an adapter to the system-wide root certificates installed in /etc/ssl/certs
.
Edit:
There seem to be more versions of libnssckbi.so
out there than just in libnss3
. The following is a script to find them all, back them up, and replace them with links to p11-kit
:
sudo apt-get update && sudo apt-get install -y p11-kit libnss3
find / -type f -name "libnssckbi.so" 2>/dev/null | while read line; do
sudo mv $line ${line}.bak
sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so $line
done
Original instructions:
To do this, install p11-kit
and libnss3
(if they are not already instealled):
sudo apt-get update && sudo apt-get install -y p11-kit libnss3
Then backup the existing libnssckbi.so
provided by libnss3
:
sudo mv /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so.bak
Finally, create the symbolic link:
sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
To confirm that it worked, you can run ll /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
and it should show the link:
lrwxrwxrwx 1 root root 49 Apr 9 20:28 /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so -> /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
Now, if you add a certificate to the CA store using update-ca-certificates
, those certificates will now be available to applications using NSS (libnss3
) such as Chrome.
3the comment "The instructions sent were: "Double-clicking on it on a Mac should install it."" made my day – mzoll – 2019-09-19T09:43:14.143