Selfsigned Certificates by a self-managed Certificate Authority
-
Hi folks,
I'm a new owner of a Volla Phone with having Ubuntu Touch installed.
I'm still learning how to use the phone and I already have some issues getting my Nextcloud and my Home Assistant to work with the phone. Long story short, somehow I can't get it to trust my Certificate Authority.- The System (tried to use the Accounts setting to add the Nextcloud),
- the App (Thers a Home Assistant App called "Home" in the App store) and
- the Morph Browser
don't seem to have any settings to trust private CAs.
They all three for some reason absolutely ignore the system wide trust stores.
I imported them, they are shown as being imported (trust list ... yes, its there), but they just are ignored.I was also planning to add an Proxy that intercepts the Traffic, but since this also depends on my CA, I already know that this won't work either.
I remounted the root file system read write and copied the ROOT-Certificate to
- /usr/local/share/ca-certificates/
- /etc/ssl/certs/
- /usr/share/ca-certificates/
And I tried:
- trust anchor ROOT-CA.crt ; update-ca-certificates
- dpkg-reconfigure ca-certificates
- and I even created a Mozilla Store using certutil and creating nssdb under various folders. (I figure, the Morph Browser is based on Google Chrome, I however do not know what this Browser uses)
I'm getting a little frustrated with this, since I do not find any way to go further.
Without the ability of importing my own Certificates the Phone seems to be quite useless to me.
I don't see any reason behind such an inability anyway.
Why would someone intentionally leave this out? This would make no sense to me.
So it might be a bug? A missing feature? - For me it is a base functionality.--> Leaving it out just means either using unencrypted connections or handing the certificate signing process over to third party CAs which then would be able to break up those connections.
Both options do not increase the security in any way.Can someone please point me to some solution other than buying commercial certificates or using Let's encrypt?
I'm not planning to throw all my certificates away (might be around 10) just because I can't import them to a mobile device.
I don't use my home services in the internet, so I don't need any Internet CA's verifying them.Thanks and best regards
-
@huben Morph uses QtWebEngine to provide the browsing functionality. And it seems that QtWebEngine bundles its own set of trusted CA's in binary format.
This would explain why adding your certs does not have any effect.
-
@arubislander
Thanks mate, I check this out.