In order to establish a secure (HTTPS) connection with your server on the local network, it is necessary to download and trust your server’s Root Certificate Authority (Root CA).
Note
You must repeat this guide for each device you want to connect to the server locally or using a VPN. This guide is not necessary for devices that will connect using Tor, Holesail, or clearnet.
Locate your Root CA and double click it. Keychain Access will launch. You will be prompted for your Mac credentials. Select “Modify Keychain”.
Press Command + Spacebar to launch a program, type in Keychain Access and select the resulting Keychain Access program to open it.
Your server’s CA certificate will be displayed among the imported certificates in Keychain Access. Right-click on the imported CA cert and select Get Info:
The details of your CA certificate will be displayed in a new dialog window. Click the “Trust” heading, then select “Always Trust” on Secure Sockets Layer (SSL) and X.509 Basic Policy.
Click the red (x) button at the top left of the Local Root CA dialog window.
You will then be prompted again for your Mac credentials. Click Update Settings:
You will see your server’s CA certificate as trusted now, signified by a blue (+) sign and the CA cert information will now say “This certificate is marked as trusted for all users” in Keychain Access:
If using Firefox, Thunderbird, or Librewolf, complete this final step.
Click the “Start” menu, type mmc, and select “Run as administrator” to access the Windows Management Console. When prompted with the “User Account Control” window, select “Yes” to allow this program to run.
When the Management Console opens, navigate to File > Add/Remove Snap-in.
Select “Certificates” in the left side menu, then “Add”. This will open another window.
Select “Computer account” and click “Next”. Leave defaulted options on the next screen and click “Finish”.
When you return to the “Add or Remove Snap-ins” page, ensure “Certificates (Local Computer)” exists under “Console Root” in the “Selected snap-ins” section, then click “OK”.
In the left hand menu of the Management Console, navigate to Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.
Right click on the “Certificates” directory, then navigate to All Tasks > Import.
Click “Next” on the first page of the Certificate Import Wizard, then browse to the location where you saved the downloaded certificate and open it. Then click “Next”.
On the “Certificate Store” window, ensure that it says “Trusted Root Certificate Authorities” and click “Next”. Then click “Finish” on the final screen.
Select “OK” when the import is successful.
Verify your server’s unique <your-server-name> Local Root CA certificate is in the “Certificates” folder.
You can save the console settings (where we added a snap-in), if desired. Your Root CA will remain imported to the CA certificate store either way, and you will likely use this guide if you need to import a new certificate.
If using Firefox, Thunderbird, or Librewolf, complete this final step.
Open your iCloud Downloads folder and click on the certificate. It will display a dialog box that says Profile Downloaded. Click “Close”.
Head to Settings > General > VPN & Device Management.
Under “DOWNLOADED PROFILE”, click your Root CA.
Click “Install”.
Click “Install” again.
Click “Install” for a 3rd time.
You should see green text with a check-mark saying “Verified” under the Profile Installed dialog.
Tap “Done”.
Go to General > About > Certificate Trust Settings and enable your Root CA.
Click “Continue”.
This guide applies to Android 13+, GrapheneOS, CalyxOS, and LineageOS.
Go to Settings > Security > More security settings > Encryption & credentials > Install a certificate > CA Certificate > Install Anyway, then select your custom-named your-server-name.crt certificate.
Mozilla apps use their own certificate store and need extra configuration to trust your Root CA. Complete the steps above for your OS first, then follow the steps below.
Open the app and enter about:config in the URL bar. Accept any warnings that appear.
Search for security.enterprise_roots.enabled and set the value to “true”.
Restart the app.
Warning
The regular Firefox app will not work. You must use Firefox Beta.
Go to Menu > Settings > About Firefox and tap the Firefox icon 5 times to enable “developer mode”.
Go back to Menu > Settings > Secret Settings (at the bottom), and tap “Use third party CA certificates”.
In the hamburger menu, click “Settings”. Search for security devices and select “Security Devices…”
When the Device Manager dialog window opens, click “Load”.
Give the Module Name a title, such as “System CA Trust Module”. For the Module filename, paste in /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so and hit “OK”.
Tip
The path to p11-kit-trust.so will be slightly different if your processor’s architecture is not x86_64.
Verify that the new module shows up on the left hand side and click “OK” in the bottom right.