network CA cert - Printable Version

+- Forum (
+-- Forum: Software (/forum-6.html)
+--- Forum: Configuration (/forum-17.html)
+--- Thread: network CA cert (/thread-4067.html)

network CA cert - gkusiak - 24th Dec, 2019 12:42 AM

should I install my network's ca.crt on my xbian unit? it has been working quite well without it - how might that change if I were to proceed?

(this is also opening a small door to my next question about VPNs and kodi/xbian...but first things first, right?) It may be taken for granted around here that it's the way to proceed, but I'm just looking for a bit of confirmation. I already encrypt my DNS lookups on a network basis (DNS-over-TLS and CloudFlare - a big improvement over my ISP), so putting that inside a tunnel would make for gold-standard (to the best of my knowledge/understanding) privacy and possibly network security.

I'm hoping there is someone here with experience/expertise to offer insight.

Thanks in advance!

RE: network CA cert - deHakkelaar - 31st Dec, 2019 03:40 AM

Why not:

xbian@avr ~ $ man update-ca-certificates
This manual page documents briefly the update-ca-certificates

update-ca-certificates is a program that updates the directory
/etc/ssl/certs to hold SSL certificates and generates ca-certifi‐
cates.crt, a concatenated single-file list of certificates.

It reads the file /etc/ca-certificates.conf. Each line gives a
pathname of a CA certificate under /usr/share/ca-certificates
that should be trusted. Lines that begin with "#" are comment
lines and thus ignored. Lines that begin with "!" are dese‐
lected, causing the deactivation of the CA certificate in ques‐
tion. Certificates must have a .crt extension in order to be
included by update-ca-certificates.

Furthermore all certificates with a .crt extension found below
/usr/local/share/ca-certificates are also included as implicitly

Drop the CA cert in below folder:


And run below to apply:

sudo update-ca-certificates

RE: network CA cert - gkusiak - 1st Jan, 2020 02:00 AM

I'll let everyone know how that works when I get to it later this week.

UPDATE - if your network requires credentials such as ca.crt, you should install it on your xbian system. It'll work faster/better/stronger.