Update README

README.md

@@ -4,19 +4,33 @@ This repository contains a small setup to automate the delivery of our root cert
 
 ### Files
 * `kto.crt` is our current only root certificate
-* `advancedsettings.xml` is a Kodi user configuration file (see []())
+* `advancedsettings.xml` is a Kodi user configuration file
 #### Installation
 * `install.sh` copies the certificates to the right location and then reloads the system's certificates (Linux only)
 
 ### Firefox
-* On Mint, had to use the following so that Firefox uses system CAs:
+On Debian-based distros, the following is required so that Firefox uses system CAs:
-```
+* go to Firefox Settings -> Privacy & Security -> Security -> Security Devices
-sudo mv /usr/lib/firefox/libnssckbi.so /usr/lib/firefox/libnssckbi.so.bak
+* then click "Load" to add a new device pointing to `/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so`
-sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so
-```
-* Stil unclear: Will this be overwritten at Firefox update?
 
-### Kodi Android
+### Manually import in Kodi
-Since Android does not allow to import our root certificate, we have to import directly in Kodi:
+In systems where we cannot import our certificate (LibreELEC, Android (TV)), we need to copy `advancedsettings.xml` and
+`kto.crt` (renamed to `cacert.pem`) to `$HOME_OF_KODI_USER/.kodi/userdata/`.
+
+This prevents KODI from using system CA, and thus to access "normal" HTTPS resources. The solution is to concatenate in
+`cacert.pem` KODI's "system" cacert and our own CA. The install script does it for LibreELEC, but not for Android (TV).
+
+#### Android (TV)
 1. find Kodi app user data directory (usually `/sdcard/Android/data/org.xbmc.kodi`)
 2. copy `advancedsettings.xml` and `kto.crt` (renamed to `cacert.pem`) to `$KODI/files/.kodi/userdata/`
+
+### Import in Windows
+1. Download the CA
+2. Double-click on it
+3. On the Certificate dialog box, click Install Certificate to start the Certificate Import Wizard
+4. On the Welcome page, click Next
+5. On the Certificate Store page, select Place all certificates in the following store and click Browse
+6. In the Select Certificate Store dialog box, select Show Physical Stores
+7. Double-click Trusted Root Certification Authorities, select Local Computer, and then click OK
+8. On the Certificate Store page, click Next
+9. On the summary page, review the details and click Finish

install.sh

@@ -14,18 +14,24 @@ else
   sudo=""
 fi
 
-if command -v update-ca-trust > /dev/null; then
+if [ $(echo $(lsb_release) | cut -d ' ' -f 1) = "LibreELEC" ]; then
-  $sudo cp $run_directory/*.crt /etc/ca-certificates/trust-source/anchors/
+  cp /usr/share/kodi/system/certs/cacert.pem /storage/.kodi/userdata/cacert.pem
-  $sudo update-ca-trust
+  cat $run_directory/kto.crt >> /storage/.kodi/userdata/cacert.pem
-elif command -v update-ca-certificates > /dev/null; then
+  cp $run_directory/advancedsettings.xml /storage/.kodi/userdata/
-  $sudo cp $run_directory/*.crt /usr/local/share/ca-certificates/
+else # More classic Linux expected
-  $sudo update-ca-certificates
+  if command -v update-ca-trust > /dev/null; then
-elif [ -f /usr/sbin/update-ca-certificates ]; then # Debian...
+    $sudo cp $run_directory/*.crt /etc/ca-certificates/trust-source/anchors/
-  $sudo cp $run_directory/*.crt /usr/local/share/ca-certificates/
+    $sudo update-ca-trust
-  $sudo update-ca-certificates
+  elif command -v update-ca-certificates > /dev/null; then
-else
+    $sudo cp $run_directory/*.crt /usr/local/share/ca-certificates/
-  echo "No update-ca binary found. Exiting with error!"
+    $sudo update-ca-certificates
-  exit 1
+  elif [ -f /usr/sbin/update-ca-certificates ]; then # Debian...
+    $sudo cp $run_directory/*.crt /usr/local/share/ca-certificates/
+    $sudo update-ca-certificates
+  else
+    echo "No update-ca binary found. Exiting with error!"
+    exit 1
+  fi
 fi
 
 echo "Finished install. Exiting..."