DoD Root Certificate Installation in Linux

By Gerowen
in HOW TO & FAQ Guides

 Share

Recommended Posts

Grand Master

Gerowen

Posted
Posted

Not sure how many of you this will apply to. Many of you may notice that, if you run Linux and use Google Chrome, you get prompted to "Proceed Anyway" any time you try to go to a DoD site, and some of them won't open at all. I've tried various methods of importing the certificates using Google Chrome and it never worked. The way I managed to get it to work was to use certutil to import the certificates into your personal PKI store so that not only Google Chrome, but other applications have trusted access to the root certificates. I read about it on this web-page. I wrote a short bash script to automate the process for you, and thought I would share with you guys.

Download the Script Here

Here's the source code of it if you just want to run the commands yourself:


#!/bin/bash
#DoD Root Certificate Installer Version 1
#Downloads and installs the DoD root certificates so browsers like Google Chrome can open and use DoD sites without bugging the hell out of you.
#Written for use on a Debian system.  If you're not using Debian the commands are still relevant, just make sure you have the program certutil available, and remove the part that installs libnss3-tools
#Marcus Dean Adams ([email protected]) 30 September 2011

#Makes sure the script is running as a normal user, so the certificates will get imported into their personal certificate store, and not the one for the root account.
if [[ $EUID = 0 ]]; then
   echo "This script must be run as your normal user account, if you REALLY want to import these certs as root, just edit this script and remove this whole section." 1>&2
   exit 1
fi

#Installs libnss3-tools on Debian based systems; this package provides the certutil functionality.
echo "Installing pre-requisite..."
echo ""
su-to-root -c "apt-get -y install libnss3-tools"

#This makes a temporary folder in the $HOME of the current user named .dodcerts, downloads the certificates to there, installs them, then removes the folder.
echo "Downloading and installing certificates..."
mkdir $HOME/.dodcerts
cd $HOME/.dodcerts
wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.p7b
wget http://dodpki.c3pki.chamb.disa.mil/dodeca.p7b
wget http://dodpki.c3pki.chamb.disa.mil/dodeca2.p7b
for n in *.p7b; do certutil -d sql:$HOME/.pki/nssdb -A -t TC -n $n -i $n; done
rm -rf $HOME/.dodcerts

#Exits properly.
exit

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Google Chrome is killing all uBlock Origin bypasses, Microsoft Edge, Opera to follow

      By Jaybonaut · Posted

      Neowin shudders at the many, many posts from users that block their ads
    • Hi my name is Olivia and I am from Australia

      By Accuphase · Posted

      I'm from Australia. This posts reeks of a Nigerian scammer.
    • Apple finally brings the slider for Liquid Glass and many other changes

      By WAR-DOG · Posted

      It's funny that iPhone users think they are getting feature, where in fact they are getting cosmetics that just do iteration circles of "improvement" of the said cosmetics. Apple just doesn't know what to do with this product anymore. There is no innovation on this areas anymore.
    • Google Chrome is killing all uBlock Origin bypasses, Microsoft Edge, Opera to follow

      By olympus1 · Posted

      You can disable the bloat on every browser. That's not the point. I will never use a browser of a shady company. I don't trust them at all. I can still find adblocking solutions than having to rely on a browser from a shady company. Every year they try something shady lol 2016: Brave Ad Replacement https://archive.is/W0k4j#selection-203.7-203.28 2016: pay-to-win Wikipedia clone into the default search engine list https://github.com/brave/browser-laptop/issues/5475 2018: Tom Scott and other creators noticed Brave was soliciting donations in their names without their knowledge or consent. https://www.reddit.com/r/brave...aims_that_brave_is_falsely/ 2020: Brave got caught injecting URLs with affiliate codes https://www.theverge.com/2020/...-crypto-privacy-ceo-apology 2021: Brave's TOR window was found leaking DNS queries https://www.zdnet.com/article/...n-addresses-in-dns-traffic/ 2022: Brave floated the idea of further discouraging users from disabling sponsored messages. https://github.com/brave/brave-browser/issues/22066 2023: Brave got caught installing a paid VPN service on users' computers without their consent. https://www.xda-developers.com...owser-installs-vpn-windows/ 2023: Brave got caught scraping and reselling people's data with their custom web crawler, which was designed specifically not to announce itself to website owners. https://stackdiary.com/brave-s...ghted-data-for-ai-training/ 2024: Brave gave up on providing advanced fingerprint protection, citing flawed statistics https://www.bleepingcomputer.c...tion-as-it-breaks-websites/ 2025: Brave staff publish an article endorsing PrivacyTests and say they "work with legitimate testing sites" like them. This article fails to disclose PrivacyTests is run by a Brave Senior Architect! https://brave.com/blog/adblock...esting-websites-harm-users/
    • Alpine Linux 3.24 released with support for COSMIC Desktop and other improvements

      By David Uzondu · Posted

      Alpine Linux 3.24 released with support for COSMIC Desktop and other improvements by David Uzondu Alpine Linux 3.24 has been released with updated system packages, including Linux kernel 6.18 and Rust 1.96. The team also added IPv6 support to the system installer, and they introduced automatic serial console configuration for headless setups. System76's COSMIC desktop environment is now available in the community repo. System76 originally started building this DE because its developers found GNOME to be pretty limited. Plus, it did not help that with virtually every GNOME update, the changes broke System76's custom desktop extensions. As for system packages, the Alpine team moved GTK+ 3.0 from the main repository to the community repository due to its legacy status. py3-setuptools has been upgraded to version 82.0.0, while the old pkg_resources module has been completely dropped. The team also removed outdated packages that still relied on py3-six and GTK+ 2.0. In addition to that, libsoup 2 has been removed because the library was affected by multiple security vulnerabilities. If you're a GRUB user, the Alpine Team said that you must manually run the grub-install command with your specific device or EFI options right after upgrading your system, otherwise, your computer may fail to boot properly with the newly updated GRUB 2.14 bootloader. New installations of Alpine Linux now offer an optional path to a /usr-merged directory layout if you set the BOOTSTRAP_USR_MERGED environment variable to 1 before you execute the setup-disk command. If you already run an older installation, you can migrate manually by installing the merge-usr package and executing its binary as the root user. The team recommends this layout to align Alpine with modern Linux standards, though you should verify your custom scripts before making the switch. Alpine Linux is a pretty tiny (~5MB) Linux distro built around musl libc, BusyBox, and OpenRC. It's been around since 2005, comes with its own package manager called Alpine Package Keeper (APK), and is widely used in modern cloud computing and software deployment.

  • Recent Achievements

    • One Year In
      Primer1st earned a badge
      One Year In
    • Experienced
      JayZJay went up a rank
      Experienced
    • Reacting Well
      Sir_Timbit earned a badge
      Reacting Well
    • Week One Done
      rubentuben8 earned a badge
      Week One Done
    • Week One Done
      ARaclen earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      511
    2. 2
      PsYcHoKiLLa
      229
    3. 3
      Edouard
      134
    4. 4
      ATLien_0
      87
    5. 5
      Steven P.
      80
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!