Install KTO Root Certificates

This repository contains a small setup to automate the delivery of our root certificates to clients.

Files

• kto.crt is our current only root certificate
• advancedsettings.xml is a Kodi user configuration file

Installation

• install.sh copies the certificates to the right location and then reloads the system's certificates (Linux only)

Firefox

On Debian-based distros, the following is required so that Firefox uses system CAs. We add a diversion in dpkg so that Firefox upgrades do not override our change.

sudo dpkg-divert --divert /usr/lib/firefox/libnssckbi.so.orig --rename --local /usr/lib/firefox/libnssckbi.so
sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so

Manually import in Kodi

In systems where we cannot import our certificate (LibreELEC, Android (TV)), we need to copy advancedsettings.xml and kto.crt (renamed to cacert.pem) to $HOME_OF_KODI_USER/.kodi/userdata/.

This prevents KODI from using system CA, and thus to access "normal" HTTPS resources. The solution is to concatenate in cacert.pem KODI's "system" cacert and our own CA. The install script does it for LibreELEC, but not for Android (TV).

Android (TV)

1. find Kodi app user data directory (usually /sdcard/Android/data/org.xbmc.kodi)
2. copy advancedsettings.xml and kto.crt (renamed to cacert.pem) to $KODI/files/.kodi/userdata/

Import in Windows

1. Download the CA
2. Double-click on it
3. On the Certificate dialog box, click Install Certificate to start the Certificate Import Wizard
4. On the Welcome page, click Next
5. On the Certificate Store page, select Place all certificates in the following store and click Browse
6. In the Select Certificate Store dialog box, select Show Physical Stores
7. Double-click Trusted Root Certification Authorities, select Local Computer, and then click OK
8. On the Certificate Store page, click Next
9. On the summary page, review the details and click Finish