Description of the issue:
I need to trust corporate Certificate Authorities in Brave on Linux. I need to be able to do this in an automated way as I’m building a SOE. That is, it cannot be done by manually importing a CA’s Public certificate in Settings as the user.
I had this problem and had to search and experiment a bit before finding a solution. Could this please be adapted somewhere in Brave Documentation?
Note that I have not tested this with Ubuntu’s Snap packages (as we avoid them for a variety of reasons) but it should work.
I see at least a few threads of people having the same challenge.
Solution
Chromium-based Browsers, like Brave, don’t trust Certificates trusted by the OS store in Linux. Instead they keep their own Certificate Store, but will include the user’s Network Security Services database (NSS). So while there isn’t an elegant policy-based solution like Firefox has (where you can just name a certificate file to import in the json policy file) it’s not too hard to implement in an automated way.
Steps
- The user’s home directory must already exist
- A package must be installed which provides
certutil
(libnss3-tools on Debian/Ubuntu) - Ensure that the
$HOME/.pki.nssdb/pkcs11.txt
file exists, if it doesn’t create the directory structure and the database. The second command must run as the user (I used ansible’s become_user to do this)
mkdir -p ${HOME}/.pki/nssdb
modutil -dbdir sql:${HOME}/.pki/nssdb --empty-password
# It might look bad to have no password, but if a user starts Brave or any Chromium-based browser they will create the nssdb without a password. These browsers rely on a separate keyring which you set a passphrase for when starting the browser. In Gnome the seahorse utility manages this.
- Add your private Certificate Authority’s public certificate to the NSS database. These commands should be run as the user. (again I used ansible’s become_user to do this)
- For a root certificate authority
certutil -d sql:${HOME}/.pki/nssdb -A -t "TC,C,C" -n "Name of your Root CA" -i /usr/local/share/ca-certificates/your_Root_CA.crt
- For an intermediate CA
certutil -d sql:${HOME}/.pki/nssdb -A -t "Tc,c,c" -n "Name of your Intermediate CA" -i /usr/local/share/ca-certificates/your_Intermediate_CA.crt
(Note the -t “TC,C,C” argument, which is different between the two and is explained in the man page of certutil)
- These steps should be run every time your Certificate Authorities have their own certificates renewed.
- If necessary this could be written in a shell script and run as the user on login.
Sources
https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/linux/cert_management.md