# Install KTO Root Certificates

This repository contains a small setup to automate the delivery of our root certificates to clients.

### Files
* `kto.crt` is our current only root certificate
* `advancedsettings.xml` is a Kodi user configuration file
#### Installation
* `install.sh` copies the certificates to the right location and then reloads the system's certificates (Linux only)

### Firefox
On Debian-based distros, the following is required so that Firefox uses system CAs. We add a diversion in dpkg so that
Firefox upgrades do not override our change.
```
sudo dpkg-divert --divert /usr/lib/firefox/libnssckbi.so.orig --rename --local /usr/lib/firefox/libnssckbi.so
sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so
```

### Manually import in Kodi
In systems where we cannot import our certificate (LibreELEC, Android (TV)), we need to copy `advancedsettings.xml` and
`kto.crt` (renamed to `cacert.pem`) to `$HOME_OF_KODI_USER/.kodi/userdata/`.

This prevents KODI from using system CA, and thus to access "normal" HTTPS resources. The solution is to concatenate in
`cacert.pem` KODI's "system" cacert and our own CA. The install script does it for LibreELEC, but not for Android (TV).

#### Android (TV)
1. find Kodi app user data directory (usually `/sdcard/Android/data/org.xbmc.kodi`)
2. copy `advancedsettings.xml` and `kto.crt` (renamed to `cacert.pem`) to `$KODI/files/.kodi/userdata/`

### Import in Windows
1. Download the CA
2. Double-click on it
3. On the Certificate dialog box, click Install Certificate to start the Certificate Import Wizard
4. On the Welcome page, click Next
5. On the Certificate Store page, select Place all certificates in the following store and click Browse
6. In the Select Certificate Store dialog box, select Show Physical Stores
7. Double-click Trusted Root Certification Authorities, select Local Computer, and then click OK
8. On the Certificate Store page, click Next
9. On the summary page, review the details and click Finish