I use a nix desktop on my laptop as my main os. My school requires us to install a certificate that allows a program that they have to inspect all https traffic on the network. I have managed to install this with
This works fine, and it seems most programs can read it fine, however I get issues as the certificate is self signed and programs just refuse to accept it. Firefox and nixos-rebuild are the two programs that I am struggling with. I have trusted the certificate but I just can’t figure out how to either allow firefox to accept self signed certificates or to trick it into thinking it is a normal root certificate like the other certificates. I can bypass it on some websites but this is inconvenient and also doesn’t work for HSTS websites. I am not very well versed with the exact cryptography stuff that is happening so please forgive my inexperience.
Thanks!
Assuming your certificate.pem is a CA certificate in PEM format, all you need to do it to add it to security.pki.certificates. This will make the CA a trust root, so certificates signed by it should become trusted, no further action needed.
We have a bunch of tests for various browser to check that this is working, and it appears so.
however I get issues as the certificate is self signed and programs just refuse to accept it
Which certificate are you talking about? The CA certificate is necessarily self-signed and the server certificate (spoofed by the proxy) should not be self-signed but signed by the CA, otherwise adding the CA to the trust store would be pointless.
HSTS is a mechanism to prevent protocol downgrades, it should have nothing to in this case. Since they’re asking to install a CA certificate it means this is a https MITM proxy, it doesn’t need to downgrade anything to http because it can intercept https.
This is a terrible IT policy.
Yeah, it’s quite insane for a school, but I think it’s relatively common in corporate environments.
It should also be noted that this completely breaks any expectation of privacy or security you may have. Website logins (and generally most software) rely on HTTPS, doing this practically gives your school free reign over anything you do on the internet; not just the ability to read while you’re browsing.
Even then, the data they read can give them access after you stop using their network. Hell, nix uses https to ensure that the sources you download aren’t compromised, this could be abused to backdoor your system.
It’s probably not the school’s intent to actually abuse this, but you’d do well to be very careful about which kinds of things you do on that network if this is a personal computer.
Personally I’d at least use a separate partition and make sure nothing remotely personal ever hits that network. This really is incredibly invasive; I can see it in corporate environments on a computer given to you by your employer, but this is really pushing it.