29 lines
1.4 KiB
Markdown
29 lines
1.4 KiB
Markdown
# Install KTO Root Certificates
|
|
|
|
This repository contains a small setup to automate the delivery of our root certificates to clients.
|
|
|
|
### Files
|
|
* `kto.crt` is our current only root certificate
|
|
* `advancedsettings.xml` is a Kodi user configuration file
|
|
#### Installation
|
|
* `install.sh` copies the certificates to the right location and then reloads the system's certificates (Linux only)
|
|
|
|
### Firefox
|
|
On Debian-based distros, the following is required so that Firefox uses system CAs. We add a diversion in dpkg so that
|
|
Firefox upgrades do not override our change.
|
|
```
|
|
sudo dpkg-divert --divert /usr/lib/firefox/libnssckbi.so.orig --rename --local /usr/lib/firefox/libnssckbi.so
|
|
sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so
|
|
```
|
|
|
|
### Manually import in Kodi
|
|
In systems where we cannot import our certificate (LibreELEC, Android (TV)), we need to copy `advancedsettings.xml` and
|
|
`kto.crt` (renamed to `cacert.pem`) to `$HOME_OF_KODI_USER/.kodi/userdata/`.
|
|
|
|
This prevents KODI from using system CA, and thus to access "normal" HTTPS resources. The solution is to concatenate in
|
|
`cacert.pem` KODI's "system" cacert and our own CA. The install script does it for LibreELEC, but not for Android (TV).
|
|
|
|
#### Android (TV)
|
|
1. find Kodi app user data directory (usually `/sdcard/Android/data/org.xbmc.kodi`)
|
|
2. copy `advancedsettings.xml` and `kto.crt` (renamed to `cacert.pem`) to `$KODI/files/.kodi/userdata/`
|