Per https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/irLAQ8f8uGk
Initial migration of wiki content over to src/docs
There will be a follow-up CL to ensure docs are following chromium’s style guide, links are fixed, etc. The file auditing was becoming too much for a single change and per Nico’s suggestion, it seems to be better to do
+ Bulk import with initial prune.
+ Follow-up CLs to clean up the documentation.
So that each CL has its own purpose.
BUG=none
Review URL: https://codereview.chromium.org/1309473002
Cr-Commit-Position: refs/heads/master@{#345186}
diff --git a/docs/linux_cert_management.md b/docs/linux_cert_management.md
new file mode 100644
index 0000000..7faf6baf
--- /dev/null
+++ b/docs/linux_cert_management.md
@@ -0,0 +1,64 @@
+**NOTE:** SSL client authentication with personal certificates does not work completely in Linux, see [issue 16830](http://code.google.com/p/chromium/issues/detail?id=16830) and [issue 25241](http://code.google.com/p/chromium/issues/detail?id=25241).
+
+# Introduction
+
+The easy way to manage certificates is navigate to chrome://settings/search#ssl. Then click on the "Manage Certificates" button. This will load a built-in interface for managing certificates.
+
+On Linux, Chromium uses the [NSS Shared DB](https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX). If the built-in manager does not work for you then you can configure certificates with the [NSS command line tools](http://www.mozilla.org/projects/security/pki/nss/tools/).
+
+# Details
+
+## Get the tools
+ * Debian/Ubuntu: `sudo apt-get install libnss3-tools`
+ * Fedora: `su -c "yum install nss-tools"`
+ * Gentoo: `su -c "echo 'dev-libs/nss utils' >> /etc/portage/package.use && emerge dev-libs/nss"` (You need to launch all commands below with the `nss` prefix, e.g., `nsscertutil`.)
+ * Opensuse: `sudo zypper install mozilla-nss-tools`
+
+
+## List all certificates
+
+`certutil -d sql:$HOME/.pki/nssdb -L`
+
+### Ubuntu Jaunty error
+Above (and most commands) gives:
+
+`certutil: function failed: security library: invalid arguments.`
+
+Package version 3.12.3.1-0ubuntu0.9.04.2
+
+## List details of a certificate
+
+`certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>`
+
+## Add a certificate
+
+`certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> -i <certificate filename>`
+
+The TRUSTARGS are three strings of zero or more alphabetic
+characters, separated by commas. They define how the certificate should be trusted for SSL, email, and object signing, and are explained in the [certutil docs](http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193) or [Meena's blog post on trust flags](https://blogs.oracle.com/meena/entry/notes_about_trust_flags).
+
+For example, to trust a root CA certificate for issuing SSL server certificates, use
+
+`certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> -i <certificate filename>`
+
+To import an intermediate CA certificate, use
+
+`certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> -i <certificate filename>`
+
+Note: to trust a self-signed server certificate, we should use
+
+`certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> -i <certificate filename>`
+
+This should work now, because [NSS bug 531160](https://bugzilla.mozilla.org/show_bug.cgi?id=531160) is claimed to be fixed in a related bug report. If it doesn't work, then to work around the NSS bug, you have to trust it as a CA using the "C,," trust flags.
+
+### Add a personal certificate and private key for SSL client authentication
+
+Use the command:
+
+`pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12`
+
+to import a personal certificate and private key stored in a PKCS #12 file. The TRUSTARGS of the personal certificate will be set to "u,u,u".
+
+## Delete a certificate
+
+`certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>`
\ No newline at end of file
