10

How to install and trust NextDNS Root CA

Windows

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open the NextDNS.cer file (the Certificate window will open).
  3. Click on Install Certificate.
  4. In the Certificate Import Wizard, when prompted for the Certificate Store, choose Place all certificates in the following store and select the Trusted Root Certification Authorities store.

CLI Installation

In a PowerShell as administrator, run:

Invoke-WebRequest -Uri "https://nextdns.io/ca" -OutFile "$env:TEMP\nextdns.cer"
certutil -addstore -f root "$env:TEMP\nextdns.cer"

macOS

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open the NextDNS.cer file (the Keychain Access.app will open with the list of Certificates installed on your computer).
  3. Double-click on NextDNS Root CA in that list.
  4. Under Trust, choose Always Trust for Secure Socket Layers (SSL).
  5. Close the window (you may be asked to enter your system password to confirm the change).

iOS

  1. Open https://nextdns.io/ca, then choose Allow.
  2. Open the Settings app, then go to General → Profiles.
  3. Open NextDNS Root CA, then Install.
  4. In the Settings app, go to General → About → Certificate Trust Settings.
  5. Enable Full Trust for NextDNS Root CA.

Android

  1. Open https://nextdns.io/ca, then choose Download.
  2. Open the downloaded NextDNS.cer file.
  3. When asked, name the certificate NextDNS.

Linux

Firefox

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open  →Privacy & Security.
  3. Scroll down to Certificates and click View Certificates…
  4. In the Authorities tab click Import.
  5. Select the NextDNS.cer file.
  6. Check Trust this CA to identify websites then click OK

Chrome, Chromium

  1. Open https://nextdns.io/ca to download the NextDNS.cer file.
  2. Open chrome://settings/certificates
  3. In the Authorities tab click Import.
  4. In the lower right, select All Files
  5. Select the NextDNS.cer file.
  6. Check Trust this certificate for identifying websites then click OK.

If you're using Firefox, an additional step is required:

  1. Enter about:config in the address bar, then press Enter.
  2. If asked, click on Accept the Risk and Continue.
  3. Set the value for security.enterprise_roots.enabled to true.

34 replies

null
    • Tzvi
    • 1 yr ago
    • Reported - view

    How to script cert installation?

      • PCSPEZIALIST
      • 6 mths ago
      • Reported - view

      Thanks,!

      The certificate is not included in your roaming client, is it?

      • NextDNs
      • 6 mths ago
      • Reported - view

       no it is not

      • PCSPEZIALIST
      • 5 mths ago
      • Reported - view

      Thanks for your help, 

      It is working great. 👍

    • Jay_Lecera
    • 1 yr ago
    • Reported - view

    I tried to install it to my phone, but it shows " No user certificate on the storage device matches this issuer certificate. "

    • GregTheHun
    • 9 mths ago
    • Reported - view

    Could there be a section on where to add this to popular Router distros?

    PfSense
    OpnSense
    OpenWRT
    etc

    Thank you

    • JW206
    • 5 mths ago
    • Reported - view

    I am having a hard time installing the NextDNS CA certificate on macOS Sonoma 14.5.

    I get this message:

    The "System Roots" keychain cannot be modified.

    To change whether a root certificate is trusted, open it in Keychain Access and modify its Trust Settings. New root certificates should be added to the login keychain for the current user, or to the System keychain if they are to be shared by all users of this machine.

    I am not sure how to proceed. When I attempt to open the certificate in Keychain Access, I either get the above message, or I cannot locate the certificate.

    • bva
    • 3 wk ago
    • Reported - view

    I want to inform users of iOS that there is another/updated way to install the cert:

    To install a .cer file on an iOS device, follow these steps:

    1. Email the certificate: Attach the .cer file to an email and send it to yourself. This is the recommended method as other third-party programs are sandboxed from accessing the iOS keychain.
    2. Open the email: On your iOS device, open the email containing the attached .cer file.
    3. Tap the attachment: Tap the .cer file attachment to download and open it.
    4. Install the certificate: If prompted, tap “Install” to install the certificate. If a warning dialog appears, tap “Install” again.
    5. Verify the certificate: You may be asked to enter a numeric code used to unlock your device (e.g., if your device is passcode-locked).
    • kangaroobear
    • 2 wk ago
    • Reported - view

    currently the root cert found at https://nextdns.io/ca is not the same root CA used by `dns.nextdns.io`

      • NextDNs
      • 2 wk ago
      • Reported - view

       this is absolutely normal and expected.