Ubuntu
ca-certificates package

How do I install cacert.org for all users?

Asked by Callum Macdonald

I've been able to install cacerts.org for my default browser profile, but I'd like to install it system wide. How can I do that without having to install the certificates in each browser profile individually?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu ca-certificates Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

How do you install it for one user?

Revision history for this message
Callum Macdonald (chmac) said : 		#2

I followed these instructions:
http://wiki.cacert.org/BrowserClients#Mozilla_Firefox

Essentially, the process is to click on a link to the master certificate and the revocation list. Firefox automatically knows what to do with each type of file.

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#3

Well the site states:

In Debian/Ubuntu certutil comes from libnss3-tools

$ sudo apt-get install libnss3-tools
and to import the our root certs you simply need to run:

$ sudo apt-get install curl
$ curl -k -o "cacert-root.crt" "http://www.cacert.org/certs/root.crt"
$ curl -k -o "cacert-class3.crt" "http://www.cacert.org/certs/class3.crt"

$ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt
$ certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt

I searched my OS for .pki to see if there is a central .pki but was unsuccessful. Looks like you will need to run the last 2 commands for each user. You could have it as a script to run at logon for all users once they login, you could script the last 2 commands to run at logon. You could see if there is a central storage point for stuff but I am not aware of where one would be,

Revision history for this message
Callum Macdonald (chmac) said : 		#4

Thanks for that info. i've imported those certificates, and it works for Chrome, but not for Firefox.

As a slight aside, I used wget instead of curl. I'm not sure why they advocate installing curl, I don't think it's necessary. So I was able to ignore the "sudo apt-get install curl" part and then the next two lines became:
$ wget -O "cacert-root.crt" "http://www.cacert.org/certs/root.crt"
$ wget -O "cacert-class3.crt" "http://www.cacert.org/certs/class3.crt"

This doesn't resolve the firefox issues, but it's a positive step in the right direction... :-)

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#5

Not sure on the firefox front dude. I ditched that garbage ages ago. Maybe someone else can chime in

Good luck

Revision history for this message
Callum Macdonald (chmac) said : 		#6

I've just realised I didn't mention Firefox in my original post, oops! Thanks for your feedback, now I've installed the certificate for Chrome also. I'm a little sceptical of Google so until I figure out how to fully "unplug" Chrome, I'll carry on with Firefox. That and my array of plugins which I can't get on Chrome. :-)

Can you help with this problem?

Provide an answer of your own, or ask Callum Macdonald for more information if necessary.

To post a message you must log in.