Where does Chrome gets its list of certificate authorities from?

Question

On Fedora, I'm talking about the list displayed when you go to settings > manage certificates > authorities tab.

I've read that it should be in the NSS shared DB, but this command returns an empty list:

[laurent@localhost nssdb]$ certutil -d sql:$HOME/.pki/nssdb -L

score 16 · Accepted Answer · answered May 31 '13 at 20:26

Those are NSS built-in certificates. They are provided through a shared library: /usr/lib/libnssckbi.so (path may be different on your system). That's where Chrome gets them from.
You could list them with certutil like this:

Make a link to the library in ~/.pki/nssdb:

ln -s /usr/lib/libnssckbi.so ~/.pki/nssdb

Then run:

certutil -L -d sql:$HOME/.pki/nssdb/ -h 'Builtin Object Token'

Output:

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Builtin Object Token:GTE CyberTrust Global Root              C,C,C
Builtin Object Token:Thawte Server CA                        C,,C 
Builtin Object Token:Thawte Premium Server CA                C,,C 
Builtin Object Token:Equifax Secure CA                       C,C,C
Builtin Object Token:Digital Signature Trust Co. Global CA 1 C,C,C
Builtin Object Token:Digital Signature Trust Co. Global CA 3 C,C,C
Builtin Object Token:Verisign Class 3 Public Primary Certification Authority C,C,C
Builtin Object Token:Verisign Class 1 Public Primary Certification Authority - G2 ,C,  
Builtin Object Token:Verisign Class 2 Public Primary Certification Authority - G2 ,C,C 
Builtin Object Token:Verisign Class 3 Public Primary Certification Authority - G2 C,C,C
Builtin Object Token:GlobalSign Root CA                      C,C,C
Builtin Object Token:GlobalSign Root CA - R2                 C,C,C
Builtin Object Token:ValiCert Class 1 VA                     C,C,C
Builtin Object Token:ValiCert Class 2 VA                     C,C,C
Builtin Object Token:RSA Root Certificate 1                  C,C,C
..................................................................
..................................................................

And if I want to add a certificate to Chrome's trusted store using certutil, How can I?
certutil -d sql:$home/.pki/nssdb -A -n 'certificate name' -i filename.cer -t "CT,,"

adds the cert into the nss db, but Chrome and Firefox don't see/trust the new cert. — ndemarco, Mar 03 '20 at 04:06
@ndemarco - your command looks good to me, no idea why it doesn't work. — don_crissti, Mar 03 '20 at 10:42

score 9 · Answer 2 · answered May 31 '13 at 19:40

9

It get's them from the underlying operating system. You can read about it here:

Root Certificate Policy

excerpt from above link

Google Chrome attempts to use the root certificate store of the underlying operating system to determine whether an SSL certificate presented by a site is indeed trustworthy, with a few exceptions.

That page goes on to describe who to contact if you're a root CA provider for the various OSes etc.

References

answered May 31 '13 at 19:40

slm

369,824

It seems like this has changed in version 1.4 of the policy at the link above (Root Certificate Policy 1.4) "Chrome began a platform-by-platform transition from relying on the host operating system’s Root Store to its own on Windows, macOS, ChromeOS, Linux, and Android." – tjb Mar 27 '23 at 09:27