how to import a self signed CA (root) ssl certificate into google chrome on linux

to import a self-signed CA ssl certificate into the linux version of google chrome, use the tool, certutil. on ubuntu (hence, probably debian), it is contained in the package, libnss3-tools.

chrome expects to find the certificate database in ~/.pki/nssdb. create, if needed:

[ -d ~/.pki/nssdb ] || mkdir -p ~/.pki/nssdb

import the ca cert with certutil:

certutil -d sql:$HOME/.pki/nssdb -A -n 'example.com cert authority' -i example.com.root.cert -t TCP,TCP,TCP
  • the directory parameter needs the sql: prepended or chrome won’t see the cert

  • i chose very generous trust values because i control my CA cert, i trust myself, and i was lazy. you probably want to tighten up those values.

the server certificate can be added in a similar manner:

certutil -d sql:$HOME/.pki/nssdb -A -n 'example.com' -i example.com.cert -t P,P,P