Tuesday 6 July 2010

Add VMware Server certificate to Chrome

When you connect to your VMware Server host console using the Google Chrome browser you will be presented with a warning about the site certificate being invalid. This is because the certificate is self signed due to it being generated during the vmware install process.

In Firefox you simply click "allow exception" and this warning disappears for good.

Chrome does not have a similar exception mechanism unfortunately. Chrome uses the "NSS Shared DB" which is part of the OS. From their website "On Linux, Chromium uses the NSS Shared DB. Rather than reinvent the wheel and create another certificate configuration tool, we are going to wait for a system certificate configuration utility to be created and launch that. In the mean time, you can configure certificates with the NSS command line tools."

This is how we do it. My host server is named "jupiter", you should change this to suit yours obviously.

Install the nss toolset;

sudo apt-get install libnss3-tools

Obtain the certificate from your server;

echo QUIT | openssl s_client -connect site:8333 | sed -ne '/BEGIN CERT/,/CERT/p'END

This will produce a lot of output. Select and copy the section that looks like this;

-----BEGIN CERTIFICATE-----
MIqDRzCCArACCQC6JbNYOIukPTANBgkqhkiG9w0BAQUFADCB5zELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEVMBMG
A1UEChMMVk13YXJlLCBJbmMuMSQwIgYDVQQLExtWTXdhcmUgTWFuYWdlbWVudCBJ
bnRlcmZhY2UxEDAOBgNVBAMTB2p1cGl0ZXIxNDAyBgkqhkiG9w0BCQITJSgxMjc4
MTEwNzE0KSwoNTY0ZDc3NjE3MjY1MjA0OTZlNjMyZSkxKjAoBgkqhkiG9w0BCQEW
G3NzbC1jZXJ0aWZpY2F0ZXNAdm13YXJlLmNvbTAeFw0xMDA3MDIyMjQ1MTRaFw0y
NDAzMTAyMjQ1MTRaMIHnMQswCQYDVQJGEwJVUzETMBEGA1UECB6KQ2FsaWZvcm5p
YTESMBAGA1UEBxMJUGFsbyBBbHRvMRUwEwYDVQQKEwxWTXdhcmUsIEluYy4xJDAi
BgNVBAsTG1ZNd2FyZSBNYW5hZ2VtZW50IEludGVyZmFjZTEQMA4GA1UEAxMHanVw
aXRlcjE02DIGCSqGSIb3DQEJAhMlKDEyNzgxMTA3MTQpLCg1NjRkNzc2MTcyNjUy
MDQ5NmU2MzJlKTEqMCgGCSqkSIb3DQEJARYbc3NsLWNlcnRpZmljYXRlc0B2bXdh
cmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNYXoFdwyIkk4uoAiE
vdD/Wl19hYcPswPIROr+eyMRRs1uriMA6LAyF8hYQZL0BYkCxxP6XpCT23pmZwmu
/0ZLPGig4nl35MipeRSdVgkfWMyqmT2iwArvk+Vm3zwWx5IPeCXHOHilmfIB9Xe1
Kq3zUmIHWwkrkNt+Y4z7S1eiKwIDAQABMA0GCSqGSIb3DQEBBQUAA4GlACiRRhLx
kdH3QQdTZvDBXs3D+dcFEXzgWNNyTiyEx1Gyf34cDbmNdyoVtUspH4P1HjQIj+fC
XH++BhmtIjxDhwpzat378eo2X0h3d4sw/maaVu6luTBn4VRg8/6iAOijPcQR0PaJ
EmzxqPMUrxz2s072xj00y2v9vzGJhaVim5Ph
-----END CERTIFICATE-----

Note: You should include the BEGIN and END tag lines.

Create a file to store the certificate;

vi ~/jupiter.cert

and paste in the code you copied.

Add the certificate to your store;

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n vmware-jupiter -i ~/jupiter.cert
"vmware-jupiter" is a nickname, you can use whatever you like there as long as it makes some sense to you
.
You should be able to browse your host without seeing any error*

You can list the certificates that are installed like this;

certutil -d sql:$HOME/.pki/nssdb -L

To look at the details of a certificate;

certutil -d sql:$HOME/.pki/nssdb -L -n certificate_nickname

And finally, to delete a certificate;

certutil -d sql:$HOME/.pki/nssdb -D -n certificate_nickname

* You will still get a red "broken certificate" indicator in the browser address bar but you wont be asked to proceed every time you connect.

No comments: