+- Forum (http://forum.xbian.org)
+-- Forum: Software (/forum-6.html)
+--- Forum: Configuration (/forum-17.html)
+--- Thread: network CA cert (/thread-4067.html)
network CA cert - gkusiak - 24th Dec, 2019 12:42 AM
should I install my network's ca.crt on my xbian unit? it has been working quite well without it - how might that change if I were to proceed?
(this is also opening a small door to my next question about VPNs and kodi/xbian...but first things first, right?) It may be taken for granted around here that it's the way to proceed, but I'm just looking for a bit of confirmation. I already encrypt my DNS lookups on a network basis (DNS-over-TLS and CloudFlare - a big improvement over my ISP), so putting that inside a tunnel would make for gold-standard (to the best of my knowledge/understanding) privacy and possibly network security.
I'm hoping there is someone here with experience/expertise to offer insight.
Thanks in advance!
RE: network CA cert - deHakkelaar - 31st Dec, 2019 03:40 AM
Why not:
Terminal
xbian@avr ~ $ man update-ca-certificates
[..]
DESCRIPTION
This manual page documents briefly the update-ca-certificates
command.
update-ca-certificates is a program that updates the directory
/etc/ssl/certs to hold SSL certificates and generates ca-certifi‐
cates.crt, a concatenated single-file list of certificates.
It reads the file /etc/ca-certificates.conf. Each line gives a
pathname of a CA certificate under /usr/share/ca-certificates
that should be trusted. Lines that begin with "#" are comment
lines and thus ignored. Lines that begin with "!" are dese‐
lected, causing the deactivation of the CA certificate in ques‐
tion. Certificates must have a .crt extension in order to be
included by update-ca-certificates.
Furthermore all certificates with a .crt extension found below
/usr/local/share/ca-certificates are also included as implicitly
trusted.
[..]
[..]
DESCRIPTION
This manual page documents briefly the update-ca-certificates
command.
update-ca-certificates is a program that updates the directory
/etc/ssl/certs to hold SSL certificates and generates ca-certifi‐
cates.crt, a concatenated single-file list of certificates.
It reads the file /etc/ca-certificates.conf. Each line gives a
pathname of a CA certificate under /usr/share/ca-certificates
that should be trusted. Lines that begin with "#" are comment
lines and thus ignored. Lines that begin with "!" are dese‐
lected, causing the deactivation of the CA certificate in ques‐
tion. Certificates must have a .crt extension in order to be
included by update-ca-certificates.
Furthermore all certificates with a .crt extension found below
/usr/local/share/ca-certificates are also included as implicitly
trusted.
[..]
Drop the CA cert in below folder:
Code:
/usr/local/share/ca-certificates/And run below to apply:
Code:
sudo update-ca-certificatesRE: network CA cert - gkusiak - 1st Jan, 2020 02:00 AM
I'll let everyone know how that works when I get to it later this week.
UPDATE - if your network requires credentials such as ca.crt, you should install it on your xbian system. It'll work faster/better/stronger.