Roman CA Certificate

Install this root certificate to get trusted HTTPS for *.roman and *.tower services over Tailscale.

Download roman-ca.crt

This is the public certificate only. It cannot be used to sign anything without the private key, which never leaves the server.

Installation

Chrome / Vivaldi (NSS) Required

Chrome and Vivaldi on Linux use their own certificate database (NSS), not the system trust store. You must add the cert here or these browsers won't trust it.

  1. Download the certificate (button above), or use curl:
curl -o roman-ca.crt https://cert.imfucked.lol/roman-ca.crt
  1. Install certutil if you don't have it:
# Debian / Ubuntu
sudo apt install libnss3-tools

# Arch / Manjaro
sudo pacman -S nss

# Fedora / RHEL
sudo dnf install nss-tools
  1. Add the cert to the NSS database:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "Roman CA" -i roman-ca.crt
  1. Restart your browser. Verify by visiting https://any-service.roman.
To remove later: certutil -d sql:$HOME/.pki/nssdb -D -n "Roman CA"

System trust store CLI tools + curl

Adds the cert for curl, wget, and other tools that use the system CA bundle. Does not affect Chrome, Vivaldi, or Firefox. 

# Debian / Ubuntu
sudo cp roman-ca.crt /usr/local/share/ca-certificates/roman-ca.crt
sudo update-ca-certificates

# Arch / Manjaro
sudo cp roman-ca.crt /etc/ca-certificates/trust-source/anchors/roman-ca.crt
sudo update-ca-trust

# Fedora / RHEL
sudo cp roman-ca.crt /etc/pki/ca-trust/source/anchors/roman-ca.crt
sudo update-ca-trust

Firefox on Linux Separate store

Firefox uses its own certificate store. See the Firefox tab.

Certificate Manager Chrome + Vivaldi

  1. Download the certificate (button above).
  2. Double-click roman-ca.crt to open the Certificate Import Wizard.
  3. Select Local Machine (for all users) or Current User, then click Next.
  4. Choose Place all certificates in the following store.
  5. Click Browse and select Trusted Root Certification Authorities.
  6. Click Next, then Finish. Confirm the security prompt.
  7. Restart your browser.
Alternatively, from an admin PowerShell:
certutil -addstore "Root" roman-ca.crt

Firefox on Windows Separate store

Firefox ignores the Windows cert store by default. See the Firefox tab.

Install as User CA All browsers

  1. Download the certificate (button above) on your phone.
  2. Go to Settings → Security & privacy → More security & privacy → Encryption & credentials.
  3. Tap Install a certificate → CA certificate.
  4. Confirm the warning ("This could allow a third party to monitor your network traffic…").
  5. Select the downloaded roman-ca.crt file.
  6. You should see "CA certificate installed".
The exact path varies by Android version and manufacturer. On Samsung, look under Biometrics and security. On Pixel, the path above should be accurate for Android 14+.

Chrome on Android

Chrome trusts user-installed CAs on Android. After installing the cert above, Chrome will show a green lock for *.roman and *.tower with no extra config needed.

Option A: Use the system store Recommended

Tell Firefox to trust OS-level certificates. This means you only install the cert once per OS.

  1. Open about:config in Firefox.
  2. Search for security.enterprise_roots.enabled.
  3. Set it to true.
  4. Restart Firefox.
After this, Firefox uses the system trust store (Linux/Windows) in addition to its own. Install the CA cert at the OS level and you're done.

Option B: Import directly into Firefox

  1. Open Settings → Privacy & Security.
  2. Scroll to Certificates and click View Certificates.
  3. Go to the Authorities tab.
  4. Click Import and select roman-ca.crt.
  5. Check Trust this CA to identify websites.
  6. Click OK.