gf4
/
www
2
0
Fork 0
Code Issues 2 Pull Requests Projects Releases Wiki Activity
www/_src/nebuchadnezzar/ca.md

3.8 KiB
Raw Blame History

title layout
Installing the CA Certifiacte base.njk

{{title}}

Importing GF4's CA certificate is required to use matrix and recommended for https, imap, etc.

What is this?

When you visit mybank.com over HTTPS, your connection is encrypted and reliable. Encryption means the data is scrambled so it can't be "wiretapped". Reliability means you can trust that the data was sent from the real mybank.com.

  • .com is the Top Level Domain (TLD). The TLD could be .org or whatever.
  • Each TLD has its own Certificate Authority (CA). The CA for .com is Verisign, Inc.
  • Your browser has a store of CA certificates, one for each CA/TLD. (Your operating system also keeps a store of CA certs).
  • When you visit mybank.com for the first time, they send you a server certificate.
  • Your browser uses the Verisign CA certificate in its storage to ensure that the server certificate recieved from mybank.com was signed by Verisign.

If the data sent by mybank.com was signed by Verisign, we know we're talking to the real mybank.com. (It's the responsibility of the CA to make sure they're signing certificates for the real mybank and not an imposter.) Because our connection is reliable, our browser shows us a lock symbol.

This reliability is part of Transport Layer Security (TLS). This example used HTTPS, a web protocol. But TLS is also used in mumble, email, matrix, irc, etc.

Respec GF4's authoritah

GF4 uses the unofficial .gf4 TLD. Neither your OS nor browser have a CA certificate for this TLD: you have to import it. If possible, import it into both OS and browser. On mobile devices it's only availale at the OS level, at least that's how it is on android.

When you import a CA certificate, your platform may display very serious warnings about the security implications of importing untrusted CA certs. If you read the previous section, this should make some sense. When you import GF4's certificate, it gives GF4 the power to sign server certs that your browser will trust. So for example, GF4 could impersonate mybank.com and your browser would show the lock symbol for a reliable connection. GF4 would never do such a thing, but your browser and OS don't know that.

TODO: Split these into seperate pages

For all of these instructions, you'll need to download the certificate from https://www.gf4.pw/ca.crt.

Fedora/Arch Linux (or p11-kit)

https://wiki.archlinux.org/title/User:Grawity/Adding_a_trusted_CA_certificate

curl -s https://www.gf4.pw/ca.crt \
| trust anchor --store ca.crt

Debian/Ubuntu

curl -s https://www.gf4.pw/ca.crt \
| sudo tee /usr/local/share/ca-certificates/gf4.crt \
| sudo tee /etc/ssl/certs/gf4.pem
sudo chmod 644 /usr/local/share/ca-certificates/gf4.crt /etc/ssl/certs/gf4.pem

Import the certificates into your browser too.

Android

TODO

Mac

Help wanted

iPhone

  1. Open https://www.gf4.pw/ca.crt in Safari.
  2. Safari will say "This website is trying to download a configuration profile. Do you want to allow this?". Tap Allow.
  3. Safari will then say "Review the profile in Settings app if you want to install it.". Tap Close.
  4. Settings -> General -> VPN & Device Management -> gf4 -> Install. If you get a warning that complains about this being an Unmanaged Root Certificate and Unverified Profile, tap Install again. You will notice that Not Verified in red will turn into Verified in green.
  5. Settings -> General -> About -> Certificate Trust Settings -> Enable Full Trust For Root Certificates -> gf4.

Windows

Help wanted

< Back