Install an SSL certificate on Chromium

Objective 🔍

The objective of this tutorial is to install an SSL certificate on the Chromium web-browser of your WebPanel/TouchController.

Description 📖

If you try to communicate via HTTPS with a web-server hosted by a PLC through a web-browser, and the SSL certificate of your PLC is self-signed or signed by a non-trusted CA, your browser will show you a page that looks like this:

This is because your browser does not trust the certificate of the PLC. In order to fix this problem, you'll need to install the certificate of the PLC inside the device that is using the web-browser. This way, your web-browser will consider the certificate as "trusted". Chromium, in particular, uses the NSS Shared DB to store its SSL certificates, which can be configured using the certutil tool.

Prerequisites 🛠️

• A WebPanel (WP) or TouchController (TC)
• A self-signed or CA-signed SSL certificate. If you want to use Codesys to generate and sign the certificate, take a look at this guide, otherwise if you want to use a Linux shell, look at this other guide
• Basic knowledge of Linux
• Basic knowledge of the SSL protocol
• Basic knowledge of the NSS libraries
• Basic knowledge of the Codesys interface (optional)

Steps 🪜

1. Connect to the device via SSH using the user account:

   ssh user@<DEVICE_IP>
   

2. To make sure the NSS database is up, try to list all the installed certificates:

   certutil -d sql:$HOME/.pki/nssdb -L
   

   If you don't have any certificate installed, the output should be something like this:

   Certificate Nickname    Trust Attributes
                           SSL,S/MIME,JAR/XPI
   

   3. Navigate to the /data/user folder and create a temporary folder to store the certificate:

   cd /data/user
   mkdir ssl-certs
   

3. Copy the certificate from your host machine to your WP/TC on the /data/user/ssl-certs folder:

   cd <HOST_CERTIFICATE_FOLDER>
   scp <CERTIFICATE_FILE> user@<DEVICE_IP>:/data/user/ssl-certs
   

   Note: usually, should have a .crt, .cer or .pem extension

4. Add the certificate to the NSS database:

   certutil -d sql:$HOME/.pki/nssdb -A -t "<TRUSTARGS>" -n <CERTIFICATE_NICKNAME> -i <CERTIFICATE_FILE>
   

   Trust attributes

   Parameter -t allows you to specify trust attributes when adding a certificate. This should be configured according to the certificate type.

   There are three trust categories defined with this option: -t <1>,<2>,<3>:

   1. SSL
   2. email
   3. object signing

   The only interesting category position is the first one, so we left two others unset.

   In each category position, use none, any, or all of the attribute codes: - p - Valid peer - P - Trusted peer (implies p) - c - Valid CA - C - Trusted CA (implies c) - T - trusted CA for client authentication (SSL server only)

   For example, to add a self-signed certificate to the NSS database:

   certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <CERTIFICATE_NICKNAME> -i <CERTIFICATE_FILE>
   

   If you need more details about which category should be used with a different certificate type, please refer to Chromium Docs and Meena's blog post

Additional operations ➕

If you need to delete an SSL certificate from the NSS database:

certutil -d sql:$HOME/.pki/nssdb -D -n <CERTIFICATE_NICKNAME>