Install a RootCA

thegustavo

Hi all,

I want to install a rootCA in both areas of shelter. In the private one it wan no problem.
But how to install on the side?

Agility8200

thegustavo Hi there, installing a new RootCA can have many very negative privacy/security implications. I would generally advise against it. May I ask which RootCA you would like to add to the user trust store and why?

thegustavo

Hello Agility8200,

I know that this can have negative privacy/security implications. I use HomeAssistant at home. I have secured this website with mkcert. Since I only run the website at home in the local network, I cannot use a LetsEncrypt certificate.

The client app that I want to connect to from my Pixel 7 therefore requires the RootCA, otherwise it will not connect to the HomeAssistant server. So the certificate has to be on my cell phone somehow.

I managed to do this on the private pages without any problems. But I want to connect to my HomeAssistant server with the app on the business side via VPN. And that's where the problem lies: How do I get the RootCA installed on the business side?

So - please no discussion about "is this dangerous or not", but very helpful information about how I can install a certificate on the business side of a Pixel 7 with Shelter. Thank you very much :)

ThatOneGuy

thegustavo I've rooted my P6 with magisk (Latest android 13 GOS) Works fine, yes it's not recomended but it works :)

bookreader

thegustavo I'm not going to tell you that its a security risk, because that on you to decide and only really a risk if you don't know what you're doing. But I will say that there is a better way!

Specifically, you CAN and SHOULD use a "letsencrypt" certificate, which you set up in conjunction with a dynamic DNS. You then set your internal clients to access your automation system using your set domain name. On your router, you block connection from the WAN side, and forward connections from the LAN side back to your automation server. An extra step to be resilient against WAN failures, is to set the domain name in the router's DNS forwarder to a local address as well, that way the LAN clients don't rely on the external DNS server or public IP address.

bookreader

ThatOneGuy Caution against upgrading to more recent builds of GrapheneOS, Magisk is no longer compatible and will really break things, AND, unfortunately, indications are that they will NOT be fixing it for GrapheneOS. There is, however, a fork of Magisk by a Magisk contributor that does account specifically for GrapheneOS.