Is it possible to add system wide client certificates on Linux? (OpenSSL)
Solution 1:
No, there isn't.
(And client certificates are fundamentally not a "system-wide" thing – they're typically issued to users, and even Windows has separate per-user stores rather than a system-wide store. You'd be looking for something in $HOME/, not in /usr.)
(The ca-certificates
directory is, as the name implies, for CA certificates (i.e. trusted issuers) to verify server certificates against. Even though the file format is the same, TLS libraries don't load all certificates into one pool but keep them separate, i.e. OpenSSL won't even look at the files loaded from ca-certificates unless it indeed wants to verify a server cert against known CAs.)
It is possible to get somewhat close to the Windows behavior (i.e. of being able to import a certificate globally via 'certmgr.msc'), but it is not the default setup, and still won't work with many apps anyway as they don't support the necessary features. But
-
Some programs have PKCS#11 support (for smart cards). Installing SoftHSM2 and configuring all of your browsers to use the "libsofthsm2" PKCS#11 module would allow all of them to access the same client certificates that are imported into SoftHSM2. (Of course, other PKCS#11 modules would also work, like tpm2_pkcs11.)
This has gotten simpler as increasingly more programs use p11-kit and no longer require messing around with slot #s or object IDs in each individual app. Still, it is nowhere close to the integration Windows CNG offers.
-
Some programs that use the Mozilla "NSS" TLS library (e.g. Chrome, Chromium, anything Chromium-based, the Evolution mail client, and did I mention Chrome) tell it to use a "shared" NSS configuration database at
~/.pki/nssdb
. Any certificates imported to this database will be visible to all apps which use it.This unfortunately doesn't include Firefox and Thunderbird (the other two biggest programs which use NSS), which have separate per-profile NSS configuration. Their cert/key.db files can be symlinked to the ones in ~/.pki/nssdb but it's not the default.
(And of course, it doesn't include apps that use OpenSSL or GnuTLS.)