boost organic

Personal certificate management on Linux

Recently I've been wondering about personal certificate management solutions on Linux (certificates that are usually given out by government to access government sites, sign documents, etc...). I have googled around and couldn't really find a good solution for this.

Basically what I want to achieve is the same thing that Windows has. In Windows you import your personal certificate into the OS certificate store and set a password for it. Then every time an application wants to use said certificate (for example web browser when accessing secure pages or Adobe Acrobat when signing PDFs) you need to enter a password in order to decrypt it.

In Linux the only options I found so far are:

  1. Importing the certificate into Firefox cert store, which is used by Mozilla Firefox, LibreOffice and some others. However the problem with this solution is that the certificate then sits unencrypted on your hard disk and anyone with access to your machine can easily copy it. The Firefox certificate store can be encrypted using a Primary Password (used to be called Master Password), however this password is not only used to encrypt certificates but also a bunch of other stuff which means you have to enter it every time you open Firefox. This makes for a lot of unnecessary password typing as I open my browser lots of times but only need to use the certificates rarely - I would prefer to enter the password only when I actually need it.

  2. Gnome Seahorse - This seemed like the perfect solutions as it encrypts your passwords/certificates using your login password and then hands out access to them to requesting applications. This solution works really well for SSH private keys, however when I tried to import my personal certificate (.p12 file) in it the import button stayed disabled. This seems to be a pretty old bug, that doesn't look like it'll be fixed any time soon (or at all).

What other solutions are out there? What I want to achieve is to simply store my certificate securely (protected with a password) and then enter this password every time an application wants to use said certificate. To me this seems the only sensible way to manage personal certificates, or am I missing something?

submitted by
[fixed][/fixed]