network CA cert

[gkusiak]

should I install my network's ca.crt on my xbian unit? it has been working quite well without it - how might that change if I were to proceed?

(this is also opening a small door to my next question about VPNs and kodi/xbian...but first things first, right?) It may be taken for granted around here that it's the way to proceed, but I'm just looking for a bit of confirmation. I already encrypt my DNS lookups on a network basis (DNS-over-TLS and CloudFlare - a big improvement over my ISP), so putting that inside a tunnel would make for gold-standard (to the best of my knowledge/understanding) privacy and possibly network security.

I'm hoping there is someone here with experience/expertise to offer insight.

Thanks in advance!

[deHakkelaar]

Why not:

Terminal

xbian@avr ~ $ man update-ca-certificates
[..]
DESCRIPTION
This manual page documents briefly the update-ca-certificates
command.

update-ca-certificates is a program that updates the directory
/etc/ssl/certs to hold SSL certificates and generates ca-certifi‐
cates.crt, a concatenated single-file list of certificates.

It reads the file /etc/ca-certificates.conf. Each line gives a
pathname of a CA certificate under /usr/share/ca-certificates
that should be trusted. Lines that begin with "#" are comment
lines and thus ignored. Lines that begin with "!" are dese‐
lected, causing the deactivation of the CA certificate in ques‐
tion. Certificates must have a .crt extension in order to be
included by update-ca-certificates.

Furthermore all certificates with a .crt extension found below
/usr/local/share/ca-certificates are also included as implicitly
trusted.
[..]

Drop the CA cert in below folder:

Code:

/usr/local/share/ca-certificates/

And run below to apply:

Code:

sudo update-ca-certificates

[gkusiak]

I'll let everyone know how that works when I get to it later this week.

UPDATE - if your network requires credentials such as ca.crt, you should install it on your xbian system. It'll work faster/better/stronger.