Unable to import CA



  • Hello,

    I generated a CA certificate, then keys and so on. Made it work without any issues on one PC with Linux Mint 19.1.
    Works on all browsers - Vivaldi, Firefox, Chrome, Chromium. Chrome is version 77.0.3865.78

    On the other laptop, it only works in Firefox. I can't import the CA to any chrome-based browser. The GUI itself only says "Unknown error", there is however, a little error in the log:

    [11312:11312:1014/134704.139969:ERROR:nsNSSCertificateDB.cpp(89)] PK11_ImportCert failed with error -8168
    

    Taken from vivaldi-snapshot

    Vivaldi	2.9.1675.11 (Official Build) snapshot (64-bit)
    Revision	802bcf2c17d188383d36e2aa44b3ed61c82ec66c
    OS	Linux
    JavaScript	V8 7.7.299.11
    Flash	32.0.0.270 /home/xx/.config/google-chrome/PepperFlash/32.0.0.270/libpepflashplayer.so
    User Agent	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.93 Safari/537.36 Vivaldi/2.9.1675.11
    Command Line	/usr/bin/vivaldi-snapshot --flag-switches-begin --flag-switches-end --save-page-as-mhtml
    Executable Path	/opt/vivaldi-snapshot/vivaldi-snapshot
    Profile Path	/home/xx/.config/vivaldi-snapshot/Default
    

    The error is the same throughout the browsers I tried - vivaldi, chrome, vivaldi-snapshot.
    Chrome is Version 71.0.3578.98 (Official Build) (64-bit)
    Linux Mint 19.

    Any idea what could be wrong? How can I troubleshoot further/workaround?

    Thanks,
    Adam


  • Moderator

    @adam2222 I fear, your file had the wrong certificate format. Or you did use the wrong steps for import.

    I suggest this (i translated steps from my video[1], so some parts of messages in popups may differ):
    Open chrome://settings/certificates
    Select Authorities
    Select Import
    In file dialog select the CA crt file (stored as PEM file format)
    Confirm open of file
    Popup for certificate apperars
    Select type of usage for certificate
    [ x ] Certificate is used to indentify websites
    Confirm with OK
    Close Settings

    See https://labs.gwendragon.de/blog/Web/Browser/Vivaldi/linux-add-ca-certificate-to-vivaldi



  • Hi,
    I used the same steps for importing the CA. I did exactly how you are describing it.
    I tried also using the 'wrong' way of importing. I tried to import CA as a certificate and a server cert. In both of those, there was an error message saying that it is not possible to import CA as a certificate- so that's correct and the error message is correct and very precise.

    If the format was incorrect- would it import on the other computer? It's the same file and the same browser. Just maybe not the very same build.

    I created CA by following this guide: https://fabianlee.org/2018/02/17/ubuntu-creating-a-trusted-ca-and-san-certificate-using-openssl-on-ubuntu/

    openssl req -new -x509 -subj "/CN=myca" -extensions v3_ca -days 3650 -key ca.key.pem -sha256 -out ca.pem -config $prefix.cnf
    

    Resulting in a file named 'ca.pem'

    Just for the sake of it, I just checked md5sum of the file on both computers- it is the same.


  • Moderator

    @adam2222 I tested with Snapshot 2.9.1692.4 x64 on Debian 10.1 as described in Create CA certificate and could import the ca.pem and the Authorities show the org-myca.


  • Moderator

    @adam2222 said in Unable to import CA PK11_ImportCert failed with error -8168:

    If the format was incorrect- would it import on the other computer?

    Different openssl tools/libraries on each computer and that may cause a broken cert.



  • Hi,

    Can you advise what software I am looking for? What libs etc.?


  • Moderator

    Please tell me first if you can dump your CA certificate with openssl.
    openssl x509 -in ca.pem -text -noout

    @adam2222 said in Unable to import CA PK11_ImportCert failed with error -8168:

    Can you advise what software I am looking for? What libs etc.?

    I do not know if you have a old Mint version.
    Please tell me output in shell typing cat /etc/os_release.
    and
    openssl version

    The package openssl is important:
    dpkg -l openssl* | grep ii


  • Moderator

    @adam2222 said in Unable to import CA PK11_ImportCert failed with error -8168:

    [11312:11312:1014/134704.139969:ERROR:nsNSSCertificateDB.cpp(89)] PK11_ImportCert failed with error -8168

    I think this error was thrown because you tried to import your CA certificate as a PKCSI12 client certificate (used for authentication).


  • Moderator

    A command line tool to importing a CA cert into certificate database used by Vivaldi and Chromium is certutil from in package libnss3-tools.
    https://chromium.googlesource.com/chromium/src/+/master/docs/linux_cert_management.md

    Import cert:
    certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n "myca" -i ca.pem

    List certs:
    certutil -d sql:$HOME/.pki/nssdb -L



  • Hi,

    validation is done without errors

    openssl x509 -in ca.pem -text -noout
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                b4:8e:f9:8f:9d:4f:0d:46
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN = REDACTED.com.pl
            Validity
                Not Before: Oct 11 18:24:15 2019 GMT
                Not After : Oct  8 18:24:15 2029 GMT
            Subject: CN = REDACTED.com.pl
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (2048 bit)
                    Modulus:
    (...)
    

    I tried using the command line utility
    That's before

    certutil -d sql:$HOME/.pki/nssdb -L
    
    Certificate Nickname                                         Trust Attributes
                                                                 SSL,S/MIME,JAR/XPI
    
    

    That's after

    certutil -d sql:$HOME/.pki/nssdb -L
    
    Certificate Nickname                                         Trust Attributes
                                                                 SSL,S/MIME,JAR/XPI
    
    REDACTED.com.pl                                                 P,,  
    
    

    I checked on the other machine and the attributes were different so I changed that also to look like:

    certutil -d sql:$HOME/.pki/nssdb -L
    
    Certificate Nickname                                         Trust Attributes
                                                                 SSL,S/MIME,JAR/XPI
    
    REDACTED.com.pl                                                 CT,C,C
    
    

    In both scenarios, no errors from certutil but neither browser has the CA on the list, and CA is still not recognized.

    The system that it works on has

    root@naven-GV72-8RC:/home/naven# dpkg -l openssl*  |grep ii
    ii  openssl           1.1.1-1ubuntu2.1~18.04.4 amd64        Secure Sockets Layer toolkit - cryptographic utility
    root@naven-GV72-8RC:/home/naven# uname -a
    Linux naven-GV72-8RC 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
    root@naven-GV72-8RC:/home/naven#  cat /etc/os-release
    NAME="Linux Mint"
    VERSION="19.1 (Tessa)"
    ID=linuxmint
    ID_LIKE=ubuntu
    PRETTY_NAME="Linux Mint 19.1"
    VERSION_ID="19.1"
    HOME_URL="https://www.linuxmint.com/"
    SUPPORT_URL="https://forums.ubuntu.com/"
    BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/en/latest/"
    PRIVACY_POLICY_URL="https://www.linuxmint.com/"
    VERSION_CODENAME=tessa
    UBUNTU_CODENAME=bionic
    
    

    Problematic system:

    # dpkg -l openssl*  |grep ii
    ii  openssl           1.1.1-1ubuntu2.1~18.04.4 amd64        Secure Sockets Layer toolkit - cryptographic utility
    
    # uname -a
    Linux ul001613 4.15.0-48-generic #51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
    
    # cat /etc/os-release
    NAME="Linux Mint"
    VERSION="19 (Tara)"
    ID=linuxmint
    ID_LIKE=ubuntu
    PRETTY_NAME="Linux Mint 19"
    VERSION_ID="19"
    HOME_URL="https://www.linuxmint.com/"
    SUPPORT_URL="https://forums.ubuntu.com/"
    BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/en/latest/"
    PRIVACY_POLICY_URL="https://www.linuxmint.com/"
    VERSION_CODENAME=tara
    UBUNTU_CODENAME=bionic
    

    Perhaps this is some permissions problem? Where are those CAs stored?


  • Moderator

    @adam2222 And what is you problem now? You added REDACTED.com.pl as a root CA?



  • The problem is that even though the cert was imported using certutil, it still is not visible in the authorities list in the browser and needless to say the CA is not recognized by Vivaldi.


  • Moderator

    @adam2222 REDACTED.com.pl is not a valid certificate for a root CA. You checked it with openssl and the output tells me that it is not a CA certificate.

    That is a example output of a local server CA certificate:

    test@debby:/media/sf_SHARED/SERVANA$ openssl x509 -in Servana_CA.crt -text -noout
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 97716107408936294 (0x15b28482ef18d66)
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: O = Servana, OU = Servana Cert Unit, CN = Servana CA, emailAddress = ca@servana
            Validity
                Not Before: Jul 28 16:19:00 2019 GMT
                Not After : Jul 28 16:19:00 2029 GMT
            Subject: O = Servana, OU = Servana Cert Unit, CN = Servana CA, emailAddress = ca@servana
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (2048 bit)
                    Modulus:
                        00:b8:3b:37:4d:36:16:68:a7:1f:23:94:a4:82:b9:
                        d1:24:69:f4:db:23:b0:60:38:88:7a:93:86:55:04:
                        3e:e4:2f:53:76:f9:0e:59:18:c6:8f:f3:75:0d:c6:
                        e8:87:b1:5e:12:e4:1e:6b:2b:9a:0d:48:1d:8e:39:
                        bc:ec:dc:61:f7:7f:34:03:d3:3c:3c:44:44:cc:17:
                        5c:15:0a:21:4b:bc:aa:c8:bc:c7:63:34:af:b6:eb:
                        08:ec:e1:27:4a:df:ba:f8:28:ad:ae:3d:c2:49:b2:
                        f1:9a:0b:c9:57:0a:35:f7:a1:54:9d:4a:df:b8:3c:
                        e2:54:62:cb:09:fd:8a:cc:a6:25:9f:04:7e:d8:99:
                        a0:2b:f2:6e:09:b2:3b:70:ee:d3:4f:df:f1:c2:a0:
                        c8:4f:a9:3c:ab:92:04:ae:d0:e4:1d:08:c7:e6:eb:
                        53:e1:a0:f9:84:d4:73:9e:47:3f:bd:6e:70:eb:9e:
                        93:43:16:3c:74:a9:76:70:ab:e2:36:79:ab:da:ae:
                        8f:78:b1:48:08:db:d8:95:7d:62:4c:4c:c5:9f:37:
                        01:7a:b3:c7:e5:60:ea:ad:6e:f9:59:d7:89:26:e4:
                        fb:85:1f:87:e8:34:35:4a:06:06:cb:8e:8f:4f:1f:
                        6a:fe:4f:89:a4:8b:3e:af:14:ec:0f:11:ae:a2:75:
                        6b:0b
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:TRUE
                X509v3 Subject Key Identifier: 
                    38:02:A9:54:2A:1E:FC:65:FF:C8:A1:FE:96:FB:F6:02:55:A9:6C:CC
                X509v3 Key Usage: 
                    Certificate Sign, CRL Sign
                Netscape Cert Type: 
                    SSL CA, S/MIME CA, Object Signing CA
                Netscape Comment: 
                    ca certificate
        Signature Algorithm: sha256WithRSAEncryption
             60:03:3b:b2:db:fc:4d:10:56:6e:da:14:4a:d2:7c:2e:27:cc:
             3a:d4:16:9d:ad:b3:71:3c:7a:2c:98:6e:52:01:d3:7b:22:d7:
             96:87:77:9b:26:db:4d:51:5d:67:17:c2:49:5a:b9:ee:6c:7e:
             aa:2d:ce:02:43:54:56:1e:44:a5:8c:45:d5:6e:69:1d:8a:2a:
             1f:0f:a9:24:03:67:7e:35:87:0c:49:bd:4b:e8:f3:67:14:a1:
             3d:22:37:9e:b5:37:1a:47:6c:b9:09:7b:24:4c:68:88:ad:48:
             49:6a:85:34:91:8f:8c:8b:b2:e8:6b:02:11:d4:cb:2a:25:6b:
             46:d1:0d:c1:9a:85:6f:c1:23:04:4e:b7:aa:19:65:1b:7c:9e:
             c4:a8:db:17:c8:cc:12:39:96:0c:8a:2c:92:3c:07:ee:53:7d:
             6f:b4:06:6a:cc:55:8e:f3:09:44:1c:6f:33:aa:58:a9:a1:1c:
             f3:ed:94:2b:c1:ba:15:86:58:a9:ca:ce:c8:ae:e6:4a:94:3e:
             aa:9c:f8:78:38:ec:93:65:32:8d:5b:83:35:f6:d0:48:51:cf:
             69:7d:0e:f8:19:d8:9e:b6:8e:7a:b3:ab:9c:04:bc:88:66:dc:
             6b:87:cc:44:5a:4e:3c:eb:94:3f:56:cb:d2:c2:87:5a:4b:52:
             a7:99:e9:85
    


  • I cut the output, used (...)
    I don't fully understand how SSL works so I cut out the 'random' parts for safety.

    Below is full output without any modifications.
    Keep in mind that this website from external POV is using letsencrypt.

    openssl x509 -in ca.pem -text -noout
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                b4:8e:f9:8f:9d:4f:0d:46
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN = naven.com.pl
            Validity
                Not Before: Oct 11 18:24:15 2019 GMT
                Not After : Oct  8 18:24:15 2029 GMT
            Subject: CN = naven.com.pl
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (2048 bit)
                    Modulus:
                       x
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Key Identifier: 
                   C8:D9:CA:2E:66:8B:21:13:40:15:BB:D2:C8:84:A0:BD:AD:CF:20:CA
                X509v3 Authority Key Identifier: 
                    keyid:A8:D9:CD:2E:66:1B:87:63:40:15:BB:D2:C8:84:C0:BD:AC:CF:20:CB
    
                X509v3 Basic Constraints: critical
                    CA:TRUE, pathlen:3
                X509v3 Key Usage: critical
                    Certificate Sign, CRL Sign
                Netscape Cert Type: 
                    SSL CA, S/MIME CA
        Signature Algorithm: sha256WithRSAEncryption
    x
    
    

  • Moderator

    @adam2222 If you import it with certutil it should be shown in Authorities as org-naven.com.pl.
    If you did not see it, you should reload Vivaldi certificate page.



  • Hi,

    Good news.

    I actually didn't notice you giving me location of the certs earlier. I compared it now and found the fault.

    The issue was in permissions. I had

    ls -lah /home/username/ | grep pki
    drw-r--r--  3 username username 4.0K Apr 27  2017 .pki
    

    I did

    chmod -R 700 /home/username/.pki/
    ls -lah /home/username/ | grep pki
    drwx------  3 username username 4.0K Apr 27  2017 .pki
    
    

    Which fixed the issue.

    Thank you for thorough investigation.


  • Moderator

    @adam2222 I could not imagine that your .pki folder had the wrong permissions.
    You can be happy that you found it.

    Enjoy now browsing with your own certificates. 🍀


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.