10

How to install and trust NextDNS Root CA

Windows

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open the NextDNS.cer file (the Certificate window will open).
  3. Click on Install Certificate.
  4. In the Certificate Import Wizard, when prompted for the Certificate Store, choose Place all certificates in the following store and select the Trusted Root Certification Authorities store.

CLI Installation

In a PowerShell as administrator, run:

Invoke-WebRequest -Uri "https://nextdns.io/ca" -OutFile "$env:TEMP\nextdns.cer"
certutil -addstore -f root "$env:TEMP\nextdns.cer"

macOS

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open the NextDNS.cer file (the Keychain Access.app will open with the list of Certificates installed on your computer).
  3. Double-click on NextDNS Root CA in that list.
  4. Under Trust, choose Always Trust for Secure Socket Layers (SSL).
  5. Close the window (you may be asked to enter your system password to confirm the change).

iOS

  1. Open https://nextdns.io/ca, then choose Allow.
  2. Open the Settings app, then go to General → Profiles.
  3. Open NextDNS Root CA, then Install.
  4. In the Settings app, go to General → About → Certificate Trust Settings.
  5. Enable Full Trust for NextDNS Root CA.

Android

  1. Open https://nextdns.io/ca, then choose Download.
  2. Open the downloaded NextDNS.cer file.
  3. When asked, name the certificate NextDNS.

Linux

Firefox

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open  →Privacy & Security.
  3. Scroll down to Certificates and click View Certificates…
  4. In the Authorities tab click Import.
  5. Select the NextDNS.cer file.
  6. Check Trust this CA to identify websites then click OK

Chrome, Chromium

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open chrome://settings/certificates
  3. In the Authorities tab click Import.
  4. In the lower right, select All Files
  5. Select the NextDNS.cer file.
  6. Check Trust this certificate for identifying websites then click OK.

If you're using Firefox, an additional step is required:

  1. Enter about:config in the address bar, then press Enter.
  2. If asked, click on Accept the Risk and Continue.
  3. Set the value for security.enterprise_roots.enabled to true.

34 replies

null
    • G_E
    • 3 yrs ago
    • Reported - view

    What potential risk is there in installing the nextdns ca certificate?

    I read a pre installation warning that the owner of the CA certificate could potentially read my passwords and cc details.

      • olivier
      • 3 yrs ago
      • Reported - view

      G E The risk is that if our certificate keys go into the wrong hands, they could impersonate any HTTPS website you visit (assuming they can also redirect your traffic). This is also something WE could do, as we have both the root certificate keys and the ability to rewrite your DNS queries. You thus have to trust us that we won't do this and we protect our private keys correctly.

      To give you some insurance on how we protect those keys, here are some details on how we handle them:

      • The root certificate private key is offline, so this one can't be stolen.
      • It was used to generate an intermediate key that is stored in a TPM.
      • This intermediate key is used to generate short lived "edge" certificate that is only valid 5 days and is regenerated every day.
      • The edge certificate is  transferred encrypted and stored in memory only on our blockpage servers.

      The edge certificate is the one at risk. If one of our blockpage servers would get compromised, and the attacker was able to extract the certificate and the private key from its memory, they could use it for up to 5 days. Note that they would still need a way to capture your traffic. We secure our servers the best we can, and monitor intrusions so we can quickly revoke a certificate (even before the 5 days) in case of intrusion.

      • G_E
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey Dear Olivier, thank you for your elaborate reply to my question. A large part of my question comes from my lack of technical expertise in the subject. Thus, I am glad to see you taking the time to explain the situation in much detail.

      • Ed_Jamison
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey I love the honesty of your company.  You don't BS anyone and try to tell them everything is perfect and secure.  You even admit the obvious, which is that your company can also manipulate the SSL.  I wish all companies were like yours.  I Love your product BTW, I am in a severely targeted situation and your service helps me in the fight.

    • Sergey_Twersky
    • 3 yrs ago
    • Reported - view

    I think for Firefox on PC it is safer and better to install the certificate in the internal storage rather than change the setting so that the browser trusts all system certificates.

    • Jen_Marak
    • 3 yrs ago
    • Reported - view

    Hi, thanks for elaborating on this. In my android, yes its perfectly working. But in my laptop, especially in Chrome browser even after following all the instructions  it doesn't remove https warning message. So, do i have to tweak something from chrome?

    • Alex.1
    • 3 yrs ago
    • Reported - view

    Hi, I have installed it but now I can not delete from my Samsung S21, could you help me? 

    • gpsupport
    • 3 yrs ago
    • Reported - view

    Thanks

    • John
    • 3 yrs ago
    • Reported - view

    Can this certificate be installed at the router level?

      • NextDNs
      • 3 yrs ago
      • Reported - view

      John no, it has to be installed on every single host.

    • Jeiel
    • 3 yrs ago
    • Reported - view

    Helo! I installed the certificate on my device, but the certificate does not appear on the websites:

    • ZTfer
    • 3 yrs ago
    • Reported - view

    To upgrade or uninstall the NextDNS CLI, run the same install command again and select "Upgrade" or "Uninstall" from the menu.

    • Romain_Navarro
    • 3 yrs ago
    • Reported - view

    You talk about a slight load time increase with the block page. What order of increase and is it for every query or just the blocked ones ? I'm french and my English not so good so I hope you understand what I mean.

      • K_M_S
      • 2 yrs ago
      • Reported - view

      Romain Navarro @NextDNS 

       I understood your question, and am wondering the same thing. 

      Does anyone know?!

      • K_M_S
      • 2 yrs ago
      • Reported - view

      Romain Navarro Anyone?!   Why are pertinent/critical questions (which would be any/all on here!) being ignored?

      • chris.22
      • 1 yr ago
      • Reported - view

      Romain Navarro K M S I'm not sure why the decided not to touch your question. Anyway I haven't dug too much into it... (AKA I'm not sure if they're using some CNAME magic which might actually trigger multiple queries, or if it all resolves to one "Block page server", or what?) But at a minimum level you are dealing with comparing a speed of "Already Done" to "Load a block page." If an ad site for example is blocked having DNS resolve as "No DNS record" exists means your computer stops looking and the page with the ad moves onward with loading. Having it load a page that says "This page is blocked" means where the ad was supposed to be your web browser calls out to the block server, asks for the page, and the server replies "Oh no, blocked.example.com is blocked 😔". So in a particular bad situation you could go with something overloaded with ads taking 50 seconds to load, to only taking 20 seconds with no block pages, to 22 seconds with the block pages. Quantifying this is hard though..... Take ping for example. On windows it sends 4 packets 1 second apart and asks a site if it's ok. SO for the results to come back from ping blocked.example.com if you are blocking it and are set to show pages will take 4 seconds to finish running. If you don't send a block page though ping Immediately finishes stating it could not find blocked.example.com. On paper that's infinitely faster to not show a block page.

    • Mamac
    • 2 yrs ago
    • Reported - view

    Coud u make regular https so i dont need to install cert to 1000 devices. Just for notification and maybe make some options to customise message backfround color logo and that stuffs. 

    • Axel_Laemmert
    • 2 yrs ago
    • Reported - view

    I installed it on my new Macbook. The keystore doesn't trust it. 
     

    • Gavin_Murphy
    • 2 yrs ago
    • Reported - view

    Okay, so in the event that my kiddo is able to get around the block page, how could I prevent this?

    • Raiyan_Asaral
    • 2 yrs ago
    • Reported - view

    How to undo? Or uninstall it incase we don't want it on the system?

      • Gavin_Murphy
      • 2 yrs ago
      • Reported - view

      Raiyan Asaral In the event you don't want to use the block page, then follow these steps. Note: This is strictly for windows devices.
      1. Go onto your task bar and select the search bar/icon.

      2. Type "Certificates" 

      3. Select "Manage User Certificates"

      4. On the LEFT pane, click "Trusted Root Certification Authorities"

      5. Click "Certificates"

      6. Find "NextDNS Root CA"

      7. Click "the red X on the top to remove the NextDNS root certificate.
                          THEN                    

    • Tzvi
    • 1 yr ago
    • Reported - view

    How to script cert installation?

      • PCSPEZIALIST
      • 6 mths ago
      • Reported - view

      Do you have a PowerShell script that you are able to share, 

      • NextDNs
      • 6 mths ago
      • Reported - view

      you can try:

      Invoke-WebRequest -Uri "https://nextdns.io/ca" -OutFile "$env:TEMP\nextdns.cer"
      certutil -addstore -f root "$env:TEMP\nextdns.cer"