[chromium-dev] How to add a ev root

Discussion:

Haitao Huo

2018-07-18 07:36:28 UTC

I'm doing experiments to add an EV root to my own build Chromium. Refer to
commit 3daa25b
<https://chromium.googlesource.com/chromium/src/+/3daa25b46109954c71f1a5791e3464a54b2973a6>,
I did below local changes:

1. Generate a root CA by below commands:
$ openssl genrsa -out TestRootCA.key 2048
$ openssl genrsa -des3 -out TestRootCA.key 2048
$ openssl req -x509 -new -nodes -key TestRootCA.key -sha256 -days 1024 -out
TestRootCA.pem

2. Bump the CA file into ./src/net/data/ssl/ev_roots/
$ openssl x509 -text -in TestRootCA.pem > $(openssl x509 -fingerprint
-noout -in TestRootCA.pem -sha256 |awk -F= '{print $2}' | sed
's/.*/\L&/g'|sed 's/://g').pem

3. Add new record to kEvRootCaMetadata in src
<https://cs.chromium.org/chromium/src/>/net
<https://cs.chromium.org/chromium/src/net/>/cert
<https://cs.chromium.org/chromium/src/net/cert/>/ev_root_ca_metadata.cc
<https://cs.chromium.org/chromium/src/net/cert/ev_root_ca_metadata.cc?l=50>

4. Rebuild chrome and check the Manage Certificates->Authorities in
Settings.

But I did not find my root CA listed. Any steps I missed?

--
--
Chromium Developers mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+***@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/1eb47a5c-9b37-4e1b-9f06-0058c621d8a5%40chromium.org.

y***@gmail.com

2018-11-27 13:55:55 UTC

Permalink

Were you finally able to get this working, i have been trying desperate for
the past couple of days to no avail. wasted money and time. If you can or
know someone, i am willing to pay for.
thanks.

Post by Haitao Huo
I'm doing experiments to add an EV root to my own build Chromium. Refer to
commit 3daa25b
<https://chromium.googlesource.com/chromium/src/+/3daa25b46109954c71f1a5791e3464a54b2973a6>,
$ openssl genrsa -out TestRootCA.key 2048
$ openssl genrsa -des3 -out TestRootCA.key 2048
$ openssl req -x509 -new -nodes -key TestRootCA.key -sha256 -days 1024
-out TestRootCA.pem
2. Bump the CA file into ./src/net/data/ssl/ev_roots/
$ openssl x509 -text -in TestRootCA.pem > $(openssl x509 -fingerprint
-noout -in TestRootCA.pem -sha256 |awk -F= '{print $2}' | sed
's/.*/\L&/g'|sed 's/://g').pem
3. Add new record to kEvRootCaMetadata in src
<https://cs.chromium.org/chromium/src/>/net
<https://cs.chromium.org/chromium/src/net/>/cert
<https://cs.chromium.org/chromium/src/net/cert/>/ev_root_ca_metadata.cc
<https://cs.chromium.org/chromium/src/net/cert/ev_root_ca_metadata.cc?l=50>
4. Rebuild chrome and check the Manage Certificates->Authorities in
Settings.
But I did not find my root CA listed. Any steps I missed?

--
--
Chromium Developers mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+***@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/3d4f60fa-ae6f-4305-9cfd-e060960d35bd%40chromium.org.

Ryan Sleevi

2018-11-27 20:33:50 UTC

Permalink

Could you explain how you wasted money?

The answer is because adding it to ev_root_ca_metadata does not make the CA
trusted. You need to do that on your own, through your OS management APIs.
If the CA is trusted, and modified in the metadata, it should just work.

Post by y***@gmail.com
Were you finally able to get this working, i have been trying desperate
for the past couple of days to no avail. wasted money and time. If you can
or know someone, i am willing to pay for.
thanks.

Post by Haitao Huo
I'm doing experiments to add an EV root to my own build Chromium. Refer
to commit 3daa25b
<https://chromium.googlesource.com/chromium/src/+/3daa25b46109954c71f1a5791e3464a54b2973a6>,
$ openssl genrsa -out TestRootCA.key 2048
$ openssl genrsa -des3 -out TestRootCA.key 2048
$ openssl req -x509 -new -nodes -key TestRootCA.key -sha256 -days 1024
-out TestRootCA.pem
2. Bump the CA file into ./src/net/data/ssl/ev_roots/
$ openssl x509 -text -in TestRootCA.pem > $(openssl x509 -fingerprint
-noout -in TestRootCA.pem -sha256 |awk -F= '{print $2}' | sed
's/.*/\L&/g'|sed 's/://g').pem
3. Add new record to kEvRootCaMetadata in src
<https://cs.chromium.org/chromium/src/>/net
<https://cs.chromium.org/chromium/src/net/>/cert
<https://cs.chromium.org/chromium/src/net/cert/>/ev_root_ca_metadata.cc
<https://cs.chromium.org/chromium/src/net/cert/ev_root_ca_metadata.cc?l=50>
4. Rebuild chrome and check the Manage Certificates->Authorities in
Settings.
But I did not find my root CA listed. Any steps I missed?

--
--
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups
"Chromium-dev" group.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/3d4f60fa-ae6f-4305-9cfd-e060960d35bd%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/3d4f60fa-ae6f-4305-9cfd-e060960d35bd%40chromium.org?utm_medium=email&utm_source=footer>
.

--
--
Chromium Developers mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+***@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CACvaWvY3n%2BjXDnsKMH_AzcyaRfHgYApwe8VD0p627g3xkdVq0w%40mail.gmail.com.