Primeiro, para obter o certificate filename, o arquivo do certificado, o mais indicado é pegá-lo no sítio oficial da CA.

No caso do ICP-Brasil, o certificado se encontra disponível em:

• http://acraiz.icpbrasil.gov.br/CertificadoACRaiz.crt

openssl x509 -inform der -in CertificadoACRaiz.crt -out ICP-Brasil.pem

Mas também é possível obtê-lo diretamente do sítio visitado:

1. Acesse o sítio no qual aparece a mensagem falso-positivo;
2. Clique no cadeado que aparece na barra de navegação;
3. Na caixa informações de segurança, clique no botão informações do certificado;
4. Selecione a aba Detalhes;
5. Na caixa Hierarquia de certificados, selecione ICP-Brasil;
6. Após selecionado ICP-Brasil, clique no botão Exportar no final da caixa;
7. Salve o arquivo no local desejado.

De posse do certificado raiz do ICP-Brasil, execute os seguintes comandos:

certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

Esta é a saída porque ainda não há certificados importados.

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n ICP-Brasil -i ICP-Brasil.pem
$ certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

ICP-Brasil C,,

Observe que agora aparece o ICP-Brasil na lista de certificados.

certutil -d sql:$HOME/.pki/nssdb -L -n ICP-Brasil

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Autoridade Certificadora Raiz Brasileira,ST=DF,L=Brasilia
,OU=Instituto Nacional de Tecnologia da Informacao - ITI,O=ICP-Br
asil,C=BR"
Validity:
Not Before: Fri Nov 30 12:58:00 2001
Not After : Wed Nov 30 23:59:00 2011
Subject: "CN=Autoridade Certificadora Raiz Brasileira,ST=DF,L=Brasili
a,OU=Instituto Nacional de Tecnologia da Informacao - ITI,O=ICP-B
rasil,C=BR"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c0:f3:2e:77:05:ff:86:f9:be:52:1d:9b:fe:54:00:70:
75:40:8a:c6:a6:68:b9:16:76:4c:0f:f7:f4:bf:b4:e2:
88:81:1a:cb:e8:ec:be:64:81:a5:39:47:5d:ea:e6:2d:
93:d3:1a:ff:7a:54:a6:07:1f:34:08:f4:bd:89:b9:82:
cc:a3:42:8f:5e:9a:c7:3e:c7:a9:b8:55:6c:24:f6:2a:
8c:65:20:8a:e4:44:24:02:af:d4:b7:89:fb:2a:e2:c4:
d7:e8:1d:7e:dc:1d:22:0c:5f:52:c3:ed:e0:2c:8d:ad:
8e:74:41:5e:7b:28:cd:94:4f:cc:79:ae:b9:b3:12:3a:
fb:4c:80:86:a5:25:00:97:68:15:a9:ee:b1:6a:28:be:
6e:66:11:d5:0a:e6:59:a0:52:00:6e:7d:2e:b9:2b:8e:
b6:2d:6d:18:45:6e:85:03:7b:50:ca:fb:a4:fc:b3:92:
fa:93:c7:3c:a2:4a:5b:1e:96:bd:bd:e3:33:b4:35:42:
f6:c3:c9:eb:43:16:5e:1e:9a:9d:52:a8:d5:47:0b:71:
b5:11:c8:47:8d:bd:99:de:55:12:80:01:4e:a8:bb:07:
63:0e:fc:25:b1:a2:b2:74:52:b0:79:dd:13:a1:0e:3b:
6e:65:0a:81:c9:be:c1:5d:de:4d:19:37:e9:43:a7:4f
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Policies
Data:
Policy Name: OID.2.16.76.1.1.0
Policy Qualifier Name: PKIX CPS Pointer Qualifier
Policy Qualifier Data: "http://acraiz.icpbrasil.gov.br/DP
Cacraiz.pdf"

Name: CRL Distribution Points
URI: "http://acraiz.icpbrasil.gov.br/LCRacraiz.crl"

Name: Certificate Subject Key ID
Data:
8a:fa:f1:57:84:11:13:35:90:42:fa:57:49:54:69:0d:
a4:c4:f0:37

Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.

Name: Certificate Key Usage
Critical: True
Usages: Certificate Signing
CRL Signing

Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
19:03:97:35:53:f8:60:22:1e:8e:72:02:c0:7e:22:60:
15:6a:6f:98:36:56:aa:55:77:d3:f6:c7:16:98:fc:88:
1a:1b:25:29:b9:b8:3a:6d:ed:38:ab:62:1d:54:c5:ed:
df:41:a1:a5:62:32:5e:fb:dc:dd:fa:2c:cf:45:b0:6a:
5c:f5:50:03:7e:04:5d:cc:24:e2:aa:56:b9:fd:61:1e:
b8:96:7d:da:f1:f0:07:2a:4a:aa:fa:0a:e4:05:c1:2a:
fb:e4:5a:2c:4b:39:70:0c:00:da:ef:49:93:ef:06:63:
02:64:21:9d:9c:76:c4:9e:b0:7d:69:53:f5:54:1f:4b:
ff:c9:61:e2:1c:ec:5b:9e:d8:93:4b:77:4d:14:39:23:
0c:6a:22:bf:b7:bf:5e:9c:a3:47:10:0d:9f:ba:91:f7:
bc:48:a0:7f:91:21:e1:b5:40:37:95:68:86:b4:e6:e8:
c6:39:df:1e:d7:41:96:6b:d4:c1:3b:6b:9e:65:14:49:
d2:79:3d:2e:9a:53:80:8d:1d:a6:01:bb:d2:33:95:f9:
a1:26:4d:ae:67:ad:77:3c:93:8f:67:e5:08:cf:02:0b:
b3:0b:69:bd:24:91:d9:e0:44:89:54:04:61:c5:d7:f4:
b9:9e:63:db:2b:ef:40:e3:ab:1d:df:7a:2a:2b:c9:fc
Fingerprint (MD5):
96:89:7D:61:D1:55:2B:27:E2:5A:39:B4:2A:6C:44:6F
Fingerprint (SHA1):
8E:FD:CA:BC:93:E6:1E:92:5D:4D:1D:ED:18:1A:43:20:A4:67:A1:39

Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA

Agora realize o logoff e um novo logon, e pronto!