kto-ca-install/README.md

# Install KTO Root Certificates

This repository contains a small setup to automate the delivery of our root certificates to clients.

### Files
* `kto.crt` is our current only root certificate
* `advancedsettings.xml` is a Kodi user configuration file
#### Installation
* `install.sh` copies the certificates to the right location and then reloads the system's certificates (Linux only)

### Firefox
On Debian-based distros, the following is required so that Firefox uses system CAs. We add a diversion in dpkg so that
Firefox upgrades do not override our change.
```
sudo dpkg-divert --divert /usr/lib/firefox/libnssckbi.so.orig --rename --local /usr/lib/firefox/libnssckbi.so
sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so
```

### Manually import in Kodi
In systems where we cannot import our certificate (LibreELEC, Android (TV)), we need to copy `advancedsettings.xml` and
`kto.crt` (renamed to `cacert.pem`) to `$HOME_OF_KODI_USER/.kodi/userdata/`.

This prevents KODI from using system CA, and thus to access "normal" HTTPS resources. The solution is to concatenate in
`cacert.pem` KODI's "system" cacert and our own CA. The install script does it for LibreELEC, but not for Android (TV).

#### Android (TV)
1. find Kodi app user data directory (usually `/sdcard/Android/data/org.xbmc.kodi`)
2. copy `advancedsettings.xml` and `kto.crt` (renamed to `cacert.pem`) to `$KODI/files/.kodi/userdata/`
Initial commit 2022-11-13 12:13:34 +01:00			`# Install KTO Root Certificates`

			`This repository contains a small setup to automate the delivery of our root certificates to clients.`

			`### Files`
			* `kto.crt` is our current only root certificate
Update README 2023-04-08 18:04:09 +02:00			* `advancedsettings.xml` is a Kodi user configuration file
Initial commit 2022-11-13 12:13:34 +01:00			`#### Installation`
Add Kodi Android conf 2022-12-30 12:23:41 +01:00			* `install.sh` copies the certificates to the right location and then reloads the system's certificates (Linux only)

Add specific Debian use case in install script 2022-12-26 19:37:27 +01:00			`### Firefox`
Add in README the final solution for Debian-based 2023-01-21 17:40:43 +01:00			`On Debian-based distros, the following is required so that Firefox uses system CAs. We add a diversion in dpkg so that`
			`Firefox upgrades do not override our change.`
Add specific Debian use case in install script 2022-12-26 19:37:27 +01:00			```
Add in README the final solution for Debian-based 2023-01-21 17:40:43 +01:00			`sudo dpkg-divert --divert /usr/lib/firefox/libnssckbi.so.orig --rename --local /usr/lib/firefox/libnssckbi.so`
Add specific Debian use case in install script 2022-12-26 19:37:27 +01:00			`sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so`
			```
Fix merge conflict in README 2022-12-30 12:25:40 +01:00
Update README 2023-04-08 18:04:09 +02:00			`### Manually import in Kodi`
			In systems where we cannot import our certificate (LibreELEC, Android (TV)), we need to copy `advancedsettings.xml` and
			`kto.crt` (renamed to `cacert.pem`) to `$HOME_OF_KODI_USER/.kodi/userdata/`.

Add LibreELEC case to install script 2023-08-02 20:19:37 +02:00			`This prevents KODI from using system CA, and thus to access "normal" HTTPS resources. The solution is to concatenate in`
			`cacert.pem` KODI's "system" cacert and our own CA. The install script does it for LibreELEC, but not for Android (TV).
Update README 2023-06-27 21:05:01 +02:00
Update README 2023-04-08 18:04:09 +02:00			`#### Android (TV)`
Add Kodi Android conf 2022-12-30 12:23:41 +01:00			1. find Kodi app user data directory (usually `/sdcard/Android/data/org.xbmc.kodi`)
			2. copy `advancedsettings.xml` and `kto.crt` (renamed to `cacert.pem`) to `$KODI/files/.kodi/userdata/`