From 741f294473fbca23b495043021f4ef317ca87491 Mon Sep 17 00:00:00 2001 From: Keith Irwin Date: Mon, 10 Apr 2023 19:56:19 -0600 Subject: [PATCH] Update CA instructions --- _src/nebuchadnezzar/ca.md | 48 +++++++++++++++++++-------------------- _src/nebuchadnezzar/wg.md | 2 +- 2 files changed, 24 insertions(+), 26 deletions(-) diff --git a/_src/nebuchadnezzar/ca.md b/_src/nebuchadnezzar/ca.md index 1597d7b..90445b1 100644 --- a/_src/nebuchadnezzar/ca.md +++ b/_src/nebuchadnezzar/ca.md @@ -3,36 +3,18 @@ title: Installing the CA Certifiacte layout: base.njk --- -< [Back](/nebuchadnezzar/) - # {{title}} Importing GF4's CA certificate is required to use matrix and recommended for https, imap, etc. ## What is this? -When you visit `mybank.com` over HTTPS, your connection is encrypted *and* reliable. **Encryption** means the data is scrambled so it can't be "wiretapped". **Reliability** means you can trust that the data was sent from the real `mybank.com`. +**TLS** also known as **SSL** is a computer technology used to cryptographically sign and encrypt stuff. GF4 signs data on domains that end in `.gf4`. For your applications to recognize these signatures, you must install GF4's root certificate. Otherwise, you will get privacy errors in your browser. -- `.com` is the **Top Level Domain (TLD)**. The TLD could be `.org` or whatever. -- Each TLD has its own **Certificate Authority (CA)**. The CA for `.com` is Verisign, Inc. -- Your browser has a store of **CA certificates**, one for each CA/TLD. (Your operating system also keeps a store of CA certs). -- When you visit `mybank.com` for the first time, they send you a **server certificate**. -- Your browser uses the Verisign CA certificate in its storage to ensure that the server certificate recieved from `mybank.com` was signed by Verisign. - -If the data sent by `mybank.com` was signed by Verisign, we know we're talking to the *real* `mybank.com`. (It's the responsibility of the CA to make sure they're signing certificates for the real mybank and not an imposter.) Because our connection is reliable, our browser shows us a lock symbol. - -This reliability is part of **Transport Layer Security (TLS)**. This example used HTTPS, a web protocol. But TLS is also used in mumble, email, matrix, irc, etc. - -## Respec GF4's authoritah - -GF4 uses the unofficial `.gf4` TLD. Neither your OS nor browser have a CA certificate for this TLD: you have to import it. If possible, import it into both OS and browser. On mobile devices it's only availale at the OS level, at least that's how it is on android. - -When you import a CA certificate, your platform may display very serious warnings about the security implications of importing untrusted CA certs. If you read the previous section, this should make some sense. When you import GF4's certificate, it gives GF4 the power to sign server certs that your browser will trust. So for example, GF4 *could* impersonate `mybank.com` and your browser would show the lock symbol for a reliable connection. GF4 would never do such a thing, but your browser and OS don't know that. +Follow these instructions to install the certificate on your computer or phone: --- -**TODO**: Split these into seperate pages - ### Fedora/Arch Linux (or p11-kit) ``` @@ -48,22 +30,30 @@ Open a terminal and run: ``` sudo apt-get install -y ca-certificates curl -curl -s www.gf4/ca.crt | sudo tee /usr/local/share/ca-certificates/gf4.crt +curl -s https://www.gf4.pw/ca.crt | sudo tee /usr/local/share/ca-certificates/gf4.crt sudo update-ca-certificates ``` **source**: [Ubuntu server docs: Security trust store](https://ubuntu.com/server/docs/security-trust-store) ### Android -TODO +1. Download the certificate from [/ca.crt](https://www.gf4.pw/ca.crt) onto your android's internal storage +2. Go to Settings > Security > More security settings > Encryption & credentials > Install a certificate > CA certificate. If you can't find it there, just search the settings for "CA certificate". +3. Tap through any warnings ("Install anyway") and select the `ca.crt` file from the file browser. ### Mac -Help wanted +Download the certificate from [/ca.crt](https://www.gf4.pw/ca.crt) to your home directory and run this command in a terminal: + +``` +sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/ca.crt +``` + +**source**: [KerioConnect Help: Adding trusted root certificates to the server](https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html) ### iPhone -1. Open [www.gf4/ca.crt](http://www.gf4/ca.crt) in Safari. +1. Open [www.gf4,pw/ca.crt](https://www.gf4.pw/ca.crt) in Safari. 2. Safari will say "*This website is trying to download a configuration profile. Do you want to allow this?*". Tap **Allow**. 3. Safari will then say "*Review the profile in Settings app if you want to install it.*". Tap **Close**. 4. Settings -> General -> **VPN & Device Management** -> **gf4** -> **Install**. If you get a warning that complains about this being an *Unmanaged Root Certificate* and *Unverified Profile*, tap **Install** again. You will notice that **Not Verified** in red will turn into **Verified** in green. @@ -71,4 +61,12 @@ Help wanted ### Windows -Help wanted \ No newline at end of file +Download the certificate from [/ca.crt](https://www.gf4.pw/ca.crt) run this command in a terminal in the same folder as the `ca.crt` file: + +``` +certutil -addstore -f "ROOT" ca.crt +``` + +**source**: [KerioConnect Help: Adding trusted root certificates to the server](https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html) + +< [Back](/nebuchadnezzar/) diff --git a/_src/nebuchadnezzar/wg.md b/_src/nebuchadnezzar/wg.md index 5f12ecf..65c6907 100644 --- a/_src/nebuchadnezzar/wg.md +++ b/_src/nebuchadnezzar/wg.md @@ -79,4 +79,4 @@ sudo systemctl enable wg-quick@gf4 You know everything is working if you can access [the private portal](https://www.ksn.gf4/) on the device. If you see a privacy warning, wireguard is working and you can move on to the next step: [Installing the GF4 CA certificate](/nebuchadnezzar/ca/). -< [Back](/nebuchadnezzar/) \ No newline at end of file +< [Back](/nebuchadnezzar/)