Google Chrome for Linux, keeps the installed X.509 certificates and keys in NSS Certificate DB store, which is not protected by default. That means, everyone with access to the browser and/or the user's home directory, can copy the signing keys. The goal of this memo is to explain how to protect the Google Chrome's certificate store with password.
Note, that the folder, where Google Chrome keeps the NSS Certificate DB files per user is:
${HOME}/.pki/nssdb
During its first start (initiated by the user), the browser generates the NSS Certificate DB store files there in:
cert9.db key4.db pkcs11.txt
It is very important to keep in mind that Google Chrome uses SQLite3-based format of NSS Certificate DB, when using the NSS tools to manage the database.
To list the content of the database, use the tool certutil (mind the file system locator "sql:" that is after "-d" in the command line bellow):
$ certutil -L -d sql:${HOME}/.pki/nssdb
If there are X.509 certificates installed in NSS Certificate DB, you will see their friendly names and trust attributes (otherwise, only the column descriptions will be displayed).
To set the password for protecting the keys and the integrity of NSS Certificate DB, stop Google Chrome first (check if it is running), and then execute the following command line:
$ certutil -W -d sql:${HOME}/.pki/nssdb
That will start a dialogue in the terminal. At the beginning, you will need to type the current password (simply press "Enter" to try the default password, which is an empty string):
Enter Password or Pin for "NSS Certificate DB":
If that is the correct password, the next step will begin with the following statement displayed:
Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character.
followed by a prompt, where the new password for protecting NSS Certificate DB to be entered twice:
Enter new password: Re-enter password:
If the new password is correctly typed, a confirmation message will be displayed:
Password changed successfully.
From this moment onward, the installation of new certificates (with or without their private keys) in NSS Certificate DB, as well as the access to the installed private keys, will be granted based on password.
To verify the password controlled access to the NSS Certificate DB is working, run Google Chrome, type in the address bar:
chrome://settings/certificates
and press "Enter". If NSS Certificate DB is password protected, the following window will appear on the screen:
(note the window description saying "Please sign in to NSS Certificate DB"). In case you cannot provide the correct password, only read-only access to the NSS Certificate DB will be granted, with no access to the private keys installed there (that means no certificate authenticated logins, no digital signatures).
What if I forget the password for NSS Certificate DB?
You cannot do much, because the private keys, previously installed in the database, are now encrypted with a password you have forgotten. Moreover, the password is irretrievable, since no additional decryption key or another mechanism, that might help to retrieve the password from the locked database files exists, as a part of the NSS Certificate DB design. Hence, if you forget the NSS Certificate DB password, consider the keys installed in there lost.
In case you keep backup copies of the certificates and keys (as PFX/PKCS#12 files), you might create a new database and install them there. To create new NSS Certificate DB, you need to stop Google Chrome (mandatory). Then move the old NSS Certificate DB files to a temporary location (who knows, one day the forgotten password might be found):
$ mkdir ${HOME}/.pki/nssdb-lost
$ mv ${HOME}/.pki/nssdb/* ${HOME}/.pki/nssdb-lost/
and create new database files in ${HOME}/.pki/nssdb:
$ certutil -N -d sql:${HOME}/.pki/nssdb
After the message:
Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character.
enter the new password twice:
Enter new password: Re-enter password:
and if the confirmation message:
Password changed successfully.
is displayed, you new (but empty) NSS Certificate DB, is created and protected with password.
Now you can run the Google Chrome and install the certificates and private keys, using the NSS Certificate DB management tools, embedded in the browser.
0 comments:
Post a Comment