Bit Integrity

While Chrome is an excellent browser, there isn't a quick and easy method to convince it to stop freaking out over self-signed or custom ssl certificates. For the majority of users this is probably a good thing, however for sys-admins or developer types there has to be a better way. This bash script takes the hassle out of importing certificates to make Chrome be quiet. The first option for the script will be the hostname or ip address. The second option is only needed if you're running on a non-standard port (I'm looking at you, webmin).

#!/bin/bash
CERT=/tmp/certfile.txt
REMHOST=$1          # Host to pull cert from
REMPORT=${2:-443}   # Set default of 443

exec 6>&1           # Link file descriptor #6 with stdout.
exec > $CERT        # stdout replaced with file

# All output from commands in this block sent to file $CERT
echo | openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 \ 
|sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

# ----------------------------------------------------------- #

exec 1>&6 6>&-      # Restore stdout and close file descriptor #6.
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "$REMHOST" -i $CERT
echo
echo "== Certificate for $REMHOST added == "
rm $CERT
exit 0

To validate that the cert has indeed been added after running the script, you can use the certutil app to show you what is listed in your personal trust.

[jperrin@bit-integrity ~]$ certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
localhost.localdomain                                        CT,,