Feature Request: Auto-import self-signed certificates to system trust store #2192
Description
Feature Request: Auto-import self-signed certificates to system trust store
Problem Statement
Currently, fastn-rig generates self-signed certificates for STARTTLS email protocols, but users must manually trust these certificates in their email clients (Apple Mail, Thunderbird, etc.). This creates friction for:
- End users - Manual certificate trust is error-prone and confusing
- E2E testing - Real email client testing requires manual certificate setup
- Development - Certificate warnings break automated testing workflows
Current Certificate Architecture Analysis
Based on code review of fastn-rig/src/certs/:
✅ What works:
- Self-signed cert generation using rig's Ed25519 key (
self_signed.rs:87-144) - Per-IP certificate storage in
fastn_home.parent()/certs/self-signed/ - Subject Alternative Names include localhost, 127.0.0.1, public IP, hostname, domain
- TLS configuration for STARTTLS SMTP server
❌ Current gaps:
- Filesystem save/load incomplete (
filesystem.rs:175-198- stubs only) - No certificate export functionality for external use
- Manual trust required for email clients
- No verification that certificates are properly trusted
Proposed Solution
New CLI Command: fastn-rig trust-cert
```bash
Auto-import certificate to system trust store
fastn-rig trust-cert
With verification tests
fastn-rig trust-cert --verify
Export certificate without importing
fastn-rig trust-cert --export-only --output ~/fastn-cert.pem
```
Cross-Platform Implementation Plan
macOS Support
```bash
User keychain (no sudo required)
security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain cert.pem
System keychain (requires sudo)
sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain cert.pem
```
Linux Support
```bash
Ubuntu/Debian
sudo cp cert.pem /usr/local/share/ca-certificates/fastn-rig.crt
sudo update-ca-certificates
RHEL/CentOS
sudo cp cert.pem /etc/pki/ca-trust/source/anchors/fastn-rig.crt
sudo update-ca-trust
```
Windows Support
```powershell
PowerShell as Administrator
Import-Certificate -FilePath "cert.pem" -CertStoreLocation "Cert:\LocalMachine\Root"
```
SSL Verification Strategy
After certificate import, verify trust with multiple methods:
- curl test: `curl -v https://localhost:587/\` (should show trusted cert)
- openssl test: `openssl s_client -connect localhost:587 -starttls smtp`
- fastn-mail test: Internal SMTP connection without warnings
- Native TLS test: Rust reqwest/rustls validation
Implementation Architecture
```rust
// New module: fastn-rig/src/certs/trust.rs
pub struct CertificateTrustManager {
cert_storage: CertificateStorage,
os_detector: OsDetector,
}
impl CertificateTrustManager {
pub async fn install_certificate(&self) -> Result<(), CertError> {
// 1. Export certificate to temp file
// 2. Detect OS and call appropriate install command
// 3. Verify installation with SSL tests
// 4. Clean up temp files
}
pub async fn verify_certificate_trust(&self) -> Result<TrustStatus, CertError> {
// Run comprehensive SSL verification tests
}
}
```
User Experience Flow
- Development: `fastn-rig trust-cert` during setup
- E2E Testing: Automated certificate trust in CI/CD
- End Users: One-time certificate installation with verification
Benefits
- Improved UX: No more manual certificate trust steps
- Better Testing: Real email client testing without warnings
- Cross-Platform: Consistent experience across macOS/Linux/Windows
- Verification: Automated testing ensures certificates work properly
- Automation-Friendly: Scriptable for CI/CD workflows
Questions for Discussion
- Should we default to user keychain or system keychain on macOS?
- How to handle sudo requirements gracefully?
- Should certificate trust be part of `fastn-rig run` or separate command?
- What verification tests are most important?
- How to handle certificate rotation/updates?
Implementation Timeline
- Phase 1: Complete filesystem certificate storage
- Phase 2: Add certificate export functionality
- Phase 3: Implement macOS trust automation
- Phase 4: Add Linux/Windows support
- Phase 5: SSL verification testing
- Phase 6: Integration with existing workflows
Thoughts and feedback welcome! 🚀