diff options
author | Thore Bödecker <me@foxxx0.de> | 2020-01-16 14:51:51 +0100 |
---|---|---|
committer | Thore Bödecker <me@foxxx0.de> | 2020-01-16 14:51:51 +0100 |
commit | 2a4bd92e98f4f55476052f316e7322e4c0a9dacc (patch) | |
tree | c8f9b950140004cf353e1d2dfd72d35166a50cd9 | |
parent | 51c02386cb4af6c201b1faede6f4b1b94422552b (diff) | |
download | qutebrowser-2a4bd92e98f4f55476052f316e7322e4c0a9dacc.tar.gz qutebrowser-2a4bd92e98f4f55476052f316e7322e4c0a9dacc.zip |
add documentation for client cert usage
-rw-r--r-- | doc/faq.asciidoc | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/doc/faq.asciidoc b/doc/faq.asciidoc index 1a256bc0b..ee9606372 100644 --- a/doc/faq.asciidoc +++ b/doc/faq.asciidoc @@ -262,6 +262,58 @@ How do I change the `WM_CLASS` used by qutebrowser windows?:: qutebrowser instance (unless you use `--temp-basedir` or `--basedir`), so they all will share the same `WM_CLASS`. +How do I use X.509 Client Certificates?:: +Right now there is no certificate-chooser prompt implemented when there are +multiple matches. Subscribe to https://github.com/qutebrowser/qutebrowser/issues/4587[Issue#4587] +for progress notifications. ++ +Currently QtWebEngine will attempt to use certificates stored in +`${HOME}/.pki/nssdb` by default. Assuming you have a CA Certificate and a +Client Certificate that you want for authenticating yourself on a web +service that validates against this CA Certificate, you need to perform +the following steps. ++ +1. Import the CA Certificate ++ +---- +certutil -D "sql:${HOME}/.pki/nssdb" -A -i <path_to_ca_cert.pem> -n "My Fancy CA" -t "TC,C,T" +---- ++ +2. Merge your `<cert.crt>` and `<privkey.pem>` files into a single `PKCS#12` +certificate file (optional, skip if your Client Certificate already is in +`PKCS#12` format) ++ +---- +openssl pkcs12 -export -in <path_to_client_cert.crt> -inkey <path_to_client_cert_privkey.pem> -out my_fancy_client_cert.pkcs12 +---- ++ +3. Import your Client Certificate into the certificate store ++ +---- +pk12util -d "sql:${HOME}/.pki/nssdb" -i <path_to_my_fancy_client_cert.pkcs12> -n "My Fancy Client Certificate" +---- ++ +Upon visiting a website that requests a Client Certificate you should now +be prompted by qutebrowser whether you want to submit the newly imported +Client Certificate or not. ++ +If you ever need to renew any of these certificates, you can take a look +at the currently imported certificates using: ++ +---- +certutil -D "sql:${HOME}/.pki/nssdb" -L +---- ++ +Then remove the expired certificates using: ++ +---- +certutil -D "sql:${HOME}/.pki/nssdb" -D -n "My Fancy Certificate Nickname" +---- ++ +And then import the new and valid certificates using the procedure +described above. + + == Troubleshooting Unable to view Flash content.:: |