OK, so I just upgraded from 18.04 LTS to 20.04 LTS, and with it came an upgrade from "standalone" (apt managed) Chromium to "snaps" Chromium, and while trying to do some activities with a public administration in Spain, I was faced with an error for no personal certificates existed (and I have two of them imported in Chromium before upgrading Ubuntu).
I was shocked to see none of the two personal certificates were showing in Chromium anymore. When exporting one of them from Firefox and importing into Chromium, the p12 wouldn't even show in the list to be picked up when importing. Went a step back and followed the authentication chain all the way down from the root: - Root CA certificate : https://www.sede.fnmt.gob.es/documents/10445900/10526749/AC_Raiz_FNMT-RCM_SHA256.cer This one could not be imported just because it was already loaded by default in Chromium. But the dialog which opens when following the link directly has the "Import" button greyed out. - Subordinated CA certificate (the one used to sign the users' certificates) : https://www.sede.fnmt.gob.es/documents/10445900/10526749/AC_FNMT_Usuarios.cer This one also had the "Import" button greyed out when following the link. If going through the certificate authority "import" in preferences, after selecting the "CA uses", gives an "unknown error". Both this and the root CA are obtained in DER format. Wasted my time converting the certificate from DER to PEM format and trying to import it, to (as expected) no avail. For reference, here you have a full (abbreviated) dump of the certificate that wouldn't be imported (certainly certificate is NOT expired and it uses up to date SHA256 signatures and 2048 bit RSA public keys): """ openssl x509 -inform DER -in AC_FNMT_Usuarios.cer -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 45:5f:3a:e1:5c:21:cd:ba:54:4f:82:aa:47:51:eb:db Signature Algorithm: sha256WithRSAEncryption Issuer: C = ES, O = FNMT-RCM, OU = AC RAIZ FNMT-RCM Validity Not Before: Oct 28 11:48:58 2014 GMT Not After : Oct 28 11:48:58 2029 GMT Subject: C = ES, O = FNMT-RCM, OU = Ceres, CN = AC FNMT Usuarios Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:9d:20:04:26:2d:fb:2d:69:30:cb:d9:93:7f:a5: ... b0:47 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: B1:D4:4F:C4:23:79:FA:44:05:09:C6:EB:39:CF:E8:35:B0:B8:20:64 Authority Information Access: OCSP - URI:http://ocspfnmtrcmca.cert.fnmt.es/ocspfnmtrcmca/OcspResponder CA Issuers - URI:http://www.cert.fnmt.es/certs/ACRAIZFNMTRCM.crt X509v3 Authority Key Identifier: keyid:F7:7D:C5:FD:C4:E8:9A:1B:77:64:A7:F5:1D:A0:CC:BF:87:60:9A:6D X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: http://www.cert.fnmt.es/dpcs/ User Notice: Explicit Text: Sujeto a las condiciones de uso expuestas en la Declaración de Prácticas de Certificación de la FNMT-RCM ( C/ Jorge Juan, 106-28009-Madrid-España) X509v3 CRL Distribution Points: Full Name: URI:ldap://ldapfnmt.cert.fnmt.es/CN=CRL,OU=AC%20RAIZ%20FNMT-RCM,O=FNMT-RCM,C=ES?authorityRevocationList;binary?base?objectclass=cRLDistributionPoint URI:http://www.cert.fnmt.es/crls/ARLFNMTRCM.crl Signature Algorithm: sha256WithRSAEncryption 8c:3d:28:b4:e0:7e:0d:f3:6e:5c:da:5c:77:3d:80:64:1e:4e: ... 34:66:50:1b:75:c2:98:11 """ This defect basically makes Chromium in Ubuntu 20.04 unusable in Spain for anyone doing any kind of transaction with most public administrations in Spain, including but not limited to filling your taxes (we are in the middle of the 2019 year tax filling). Guess as per the original reporter's upstream Bug with Google this may not be due to Ubuntu but to some Google's messup. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1662440 Title: Unable to import FNMT certificates in chromium or chrome To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1662440/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
