5

How to install and trust NextDNS Root CA

Windows

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open the NextDNS.cer file (the Certificate window will open).
  3. Click on Install Certificate.
  4. In the Certificate Import Wizard, when prompted for the Certificate Store, choose Place all certificates in the following store and select the Trusted Root Certification Authorities store.

macOS

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open the NextDNS.cer file (the Keychain Access.app will open with the list of Certificates installed on your computer).
  3. Double-click on NextDNS Root CA in that list.
  4. Under Trust, choose Always Trust for Secure Socket Layers (SSL).
  5. Close the window (you may be asked to enter your system password to confirm the change).

iOS

  1. Open https://nextdns.io/ca, then choose Allow.
  2. Open the Settings app, then go to General → Profiles.
  3. Open NextDNS Root CA, then Install.
  4. In the Settings app, go to General → About → Certificate Trust Settings.
  5. Enable Full Trust for NextDNS Root CA.

Android

  1. Open https://nextdns.io/ca, then choose Download.
  2. Open the downloaded NextDNS.cer file.
  3. When asked, name the certificate NextDNS.

Linux

Firefox

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open  →Privacy & Security.
  3. Scroll down to Certificates and click View Certificates…
  4. In the Authorities tab click Import.
  5. Select the NextDNS.cer file.
  6. Check Trust this CA to identify websites then click OK

Chrome, Chromium

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open chrome://settings/certificates
  3. In the Authorities tab click Import.
  4. In the lower right, select All Files
  5. Select the NextDNS.cer file.
  6. Check Trust this certificate for identifying websites then click OK.

If you're using Firefox, an additional step is required:

  1. Enter about:config in the address bar, then press Enter.
  2. If asked, click on Accept the Risk and Continue.
  3. Set the value for security.enterprise_roots.enabled to true.
23replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • What potential risk is there in installing the nextdns ca certificate?

    I read a pre installation warning that the owner of the CA certificate could potentially read my passwords and cc details.

    Like 2
    • G E The risk is that if our certificate keys go into the wrong hands, they could impersonate any HTTPS website you visit (assuming they can also redirect your traffic). This is also something WE could do, as we have both the root certificate keys and the ability to rewrite your DNS queries. You thus have to trust us that we won't do this and we protect our private keys correctly.

      To give you some insurance on how we protect those keys, here are some details on how we handle them:

      • The root certificate private key is offline, so this one can't be stolen.
      • It was used to generate an intermediate key that is stored in a TPM.
      • This intermediate key is used to generate short lived "edge" certificate that is only valid 5 days and is regenerated every day.
      • The edge certificate is  transferred encrypted and stored in memory only on our blockpage servers.

      The edge certificate is the one at risk. If one of our blockpage servers would get compromised, and the attacker was able to extract the certificate and the private key from its memory, they could use it for up to 5 days. Note that they would still need a way to capture your traffic. We secure our servers the best we can, and monitor intrusions so we can quickly revoke a certificate (even before the 5 days) in case of intrusion.

      Like 18
      • G E
      • G_E
      • 2 yrs ago
      • 3
      • Reported - view

      Olivier Poitrey Dear Olivier, thank you for your elaborate reply to my question. A large part of my question comes from my lack of technical expertise in the subject. Thus, I am glad to see you taking the time to explain the situation in much detail.

      Like 3
      • Ed Jamison
      • Ed_Jamison
      • 2 yrs ago
      • 5
      • Reported - view

      Olivier Poitrey I love the honesty of your company.  You don't BS anyone and try to tell them everything is perfect and secure.  You even admit the obvious, which is that your company can also manipulate the SSL.  I wish all companies were like yours.  I Love your product BTW, I am in a severely targeted situation and your service helps me in the fight.

      Like 5
  • I think for Firefox on PC it is safer and better to install the certificate in the internal storage rather than change the setting so that the browser trusts all system certificates.

    Like
  • Hi, thanks for elaborating on this. In my android, yes its perfectly working. But in my laptop, especially in Chrome browser even after following all the instructions  it doesn't remove https warning message. So, do i have to tweak something from chrome?

    Like
  • Hi, I have installed it but now I can not delete from my Samsung S21, could you help me? 

    Like
  • Thanks

    Like
  • Can this certificate be installed at the router level?

    Like
    • John no, it has to be installed on every single host.

      Like
  • Helo! I installed the certificate on my device, but the certificate does not appear on the websites:

    Like 1
  • To upgrade or uninstall the NextDNS CLI, run the same install command again and select "Upgrade" or "Uninstall" from the menu.

    Like
  • You talk about a slight load time increase with the block page. What order of increase and is it for every query or just the blocked ones ? I'm french and my English not so good so I hope you understand what I mean.

    Like 2
      • K M S
      • K_M_S
      • 1 yr ago
      • 2
      • Reported - view

      Romain Navarro @NextDNS 

       I understood your question, and am wondering the same thing. 

      Does anyone know?!

      Like 2
      • K M S
      • K_M_S
      • 6 mths ago
      • Reported - view

      Romain Navarro Anyone?!   Why are pertinent/critical questions (which would be any/all on here!) being ignored?

      Like
  • Coud u make regular https so i dont need to install cert to 1000 devices. Just for notification and maybe make some options to customise message backfround color logo and that stuffs. 

    Like 2
  • I installed it on my new Macbook. The keystore doesn't trust it. 
     

    Like 1
  • Okay, so in the event that my kiddo is able to get around the block page, how could I prevent this?

    Like 1
  • How to undo? Or uninstall it incase we don't want it on the system?

    Like
    • Raiyan Asaral In the event you don't want to use the block page, then follow these steps. Note: This is strictly for windows devices.
      1. Go onto your task bar and select the search bar/icon.

      2. Type "Certificates" 

      3. Select "Manage User Certificates"

      4. On the LEFT pane, click "Trusted Root Certification Authorities"

      5. Click "Certificates"

      6. Find "NextDNS Root CA"

      7. Click "the red X on the top to remove the NextDNS root certificate.
                          THEN                    

      Like 1
  • How to script cert installation?

    Like
  • I tried to install it to my phone, but it shows " No user certificate on the storage device matches this issuer certificate. "

    Like