Deploying SSL certificates

2012-05-17

SSL certificates are kind of a pain in the ass.

You have to create a PKI, which is really frustrating when you do it for the first time. You can use OpenSSL or GnuTLS for this. I ended up making minipki, a python3 wrapper around the OpenSSL binary, specifically so I wouldn’t have to put up with OpenSSL’s shit interface any more.

But after that, how do you actually get your certificate out to your users? Each browser on each OS may have its own way of storing trusted CA certificates.

Installing certificates on Debian/Ubuntu

Almost all applications on Debian/Ubuntu will use this store, including curl and wget, but not including Mozilla applications or Google Chrome.

Note that the ca-certificates package installs the Debian/Ubuntu certificate authorities, and also (at least as of now) the bundle from Mozilla. It puts these in /usr/share/ca-certificates, and uses the /etc/ca-certificates.conf file to determine whether files in that directory are trusted. However, all certificates in /usr/local/share/ca-certificates are trusted implicitly.

Installing certificates on a Mac

Native Mac applications (such as Safari and Mail) use this store. Google Chrome uses it as well.

Command line

You may be able to add CA certs to /Library/Preferences/cacert.pem but I’m not sure how robust that is / what happens if that file gets updated by something else (such as Keychain.app).

Using Keychain.app (either per-user or for the whole computer)

Installing certificates on Windows

Native Windows applications (such as Internet Exploerer and Outlook) use this store. Google Chrome uses it as well.

Via Active Directory

Manually on the commandline

Manually via the GUI

Installing certificates to a Mozilla profile

Mozilla products have a separate store in each user profile.

Exciting fact: This means that you’ll have to do this seperately for your Firefox and Thunderbird profiles!

Manually in the GUI

Options -> Advance -> Encryption -> View Certificates -> Authorities tab -> Import

Using NSS certutil

See Mozilla, SSL, and NSS for information on using Mozilla’s (not Microsoft’s) certutil.exe to directly modify the certificate store in Firefox and Thunderbird.

Installing certificates in Chrome

Chrome is an exciting blend of the Mozilla Way and the OS Way.

A quick note about NSIS

NSIS is the NullSoft Installer System. There’s an NSIS script to import root certificates. It works with the Windows default store and the Firefox one. It’s useful for employees who work from home and don’t have company-provided equipment on the domain. Unfortunately it doesn’t do Thunderbird, although it looks like it’d be pretty easy to add support for it. Also unlike my batch files, this only installs it to the default FF profile, not all profiles in %APPDATA%\Mozilla\Firefox\Profiles

This script works for me but the NSIS language is really ugly and I don’t wanna wade through it again right now, so I’m just going to link to the official page.

Tangents

This post is about the pragmatics of managing a small SSL PKI, but keep in mind that TLS/SSL in general is a total clusterfuck.

SSL actually kind of sucks

You can do cool stuff with it anyway