2

How to install and trust NextDNS Root CA

Windows

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open the NextDNS.cer file (the Certificate window will open).
  3. Click on Install Certificate.
  4. In the Certificate Import Wizard, when prompted for the Certificate Store, choose Place all certificates in the following store and select the Trusted Root Certification Authorities store.

macOS

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open the NextDNS.cer file (the Keychain Access.app will open with the list of Certificates installed on your computer).
  3. Double-click on NextDNS Root CA in that list.
  4. Under Trust, choose Always Trust for Secure Socket Layers (SSL).
  5. Close the window (you may be asked to enter your system password to confirm the change).

iOS

  1. Open https://nextdns.io/ca, then choose Allow.
  2. Open the Settings app, then go to General → Profiles.
  3. Open NextDNS Root CA, then Install.
  4. In the Settings app, go to General → About → Certificate Trust Settings.
  5. Enable Full Trust for NextDNS Root CA.

Android

  1. Open https://nextdns.io/ca, then choose Download.
  2. Open the downloaded NextDNS.cer file.
  3. When asked, name the certificate NextDNS.

Linux

Firefox

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open  →Privacy & Security.
  3. Scroll down to Certificates and click View Certificates…
  4. In the Authorities tab click Import.
  5. Select the NextDNS.cer file.
  6. Check Trust this CA to identify websites then click OK

Chrome, Chromium

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open chrome://settings/certificates
  3. In the Authorities tab click Import.
  4. In the lower right, select All Files
  5. Select the NextDNS.cer file.
  6. Check Trust this certificate for identifying websites then click OK.

If you're using Firefox, an additional step is required:

  1. Enter about:config in the address bar, then press Enter.
  2. If asked, click on Accept the Risk and Continue.
  3. Set the value for security.enterprise_roots.enabled to true.
11replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • What potential risk is there in installing the nextdns ca certificate?

    I read a pre installation warning that the owner of the CA certificate could potentially read my passwords and cc details.

    Like
    • G E The risk is that if our certificate keys go into the wrong hands, they could impersonate any HTTPS website you visit (assuming they can also redirect your traffic). This is also something WE could do, as we have both the root certificate keys and the ability to rewrite your DNS queries. You thus have to trust us that we won't do this and we protect our private keys correctly.

      To give you some insurance on how we protect those keys, here are some details on how we handle them:

      • The root certificate private key is offline, so this one can't be stolen.
      • It was used to generate an intermediate key that is stored in a TPM.
      • This intermediate key is used to generate short lived "edge" certificate that is only valid 5 days and is regenerated every day.
      • The edge certificate is  transferred encrypted and stored in memory only on our DNS edge servers.

      The edge certificate is the one at risk. If one of our edge servers would get compromised, and the attacker was able to extract the certificate and the private key from its memory, they could use it for up to 5 days. Note that they would still need a way to capture your traffic. We secure our servers the best we can, and monitor intrusions so we can quickly revoke a certificate (even before the 5 days) in case of intrusion.

      Like 8
      • G E
      • G_E
      • 5 mths ago
      • 1
      • Reported - view

      Olivier Poitrey Dear Olivier, thank you for your elaborate reply to my question. A large part of my question comes from my lack of technical expertise in the subject. Thus, I am glad to see you taking the time to explain the situation in much detail.

      Like 1
      • Ed Jamison
      • Ed_Jamison
      • 3 mths ago
      • 1
      • Reported - view

      Olivier Poitrey I love the honesty of your company.  You don't BS anyone and try to tell them everything is perfect and secure.  You even admit the obvious, which is that your company can also manipulate the SSL.  I wish all companies were like yours.  I Love your product BTW, I am in a severely targeted situation and your service helps me in the fight.

      Like 1
  • I think for Firefox on PC it is safer and better to install the certificate in the internal storage rather than change the setting so that the browser trusts all system certificates.

    Like
  • Hi, thanks for elaborating on this. In my android, yes its perfectly working. But in my laptop, especially in Chrome browser even after following all the instructions  it doesn't remove https warning message. So, do i have to tweak something from chrome?

    Like
  • Hi, I have installed it but now I can not delete from my Samsung S21, could you help me? 

    Like
  • Thanks

    Like
  • Can this certificate be installed at the router level?

    Like
    • John no, it has to be installed on every single host.

      Like
  • Helo! I installed the certificate on my device, but the certificate does not appear on the websites:

    Like 1