# Service Certificate

```{attention}
The service certificate in this chapter is different from the MITM capture certificate described in [Installing MITM Certificate](./install-mitm-cert.md); the latter is installed in the Android system trust store to make the app trust the proxy for traffic interception. The service certificate is a PEM format file loaded by the FIRERPA server and held by the client, used to encrypt the FIRERPA communication link and verify the visitor's identity.
```

This chapter introduces the generation and deployment of the FIRERPA service certificate. The FIRERPA server does not enable authentication by default; anyone on the same network who knows the device IP and port can connect to the remote desktop, call the API, or use SSH. If you need to use it in an untrusted network environment or require TLS encryption for communication, you should enable access control via a service certificate.

```{note}
When installing the server via the APP, you can enable authentication in the APP's **Configuration**, and the APP will automatically generate and set the certificate, eliminating the need to follow the generation steps below. For Magisk module or manual deployment, you need to follow the steps in this chapter to generate and manually deploy the certificate.
```

Before generating the certificate, you must complete [Tool Preparation](./tools-prepare.md) on the PC, clone the `lamda` repository, and install Python dependencies in the `tools` directory. In the `tools` directory, run `cert.py`, replacing the argument with the hostname used to access the device.

```bash
python3 cert.py mydevice.local
```

After successful execution, the current directory will generate `mydevice.local.pem` and `root.crt`, `root.key`. The `.pem` file is used by the server to enable TLS and by the client to verify identity; `root.crt` and `root.key` are the root certificate key pair, which are not normally used for day-to-day connections but should be kept safe for future replacement or troubleshooting.
<br>
<br>
The first line of the generated PEM file is a metadata comment, where the `PASSWD` field value is the default remote desktop login credential. Do not manually edit the private key or certificate content in the PEM file, as this may cause the server to fail to start or client verification to be abnormal. The certificate file format is as follows, with each block being `key`, `cert`, `CA` in strict order.

```text
LAMDA SSL CERTIFICATE (CN=mydevice.local,PASSWD=e908d358...)
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA33YUKkfUkLeWtsCe7A1yzIZsqOTd1a8XWr9+Vh0ombOdtnqK...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIC1DCCAbygAwIBAgIQBKjY0w1FbPJooD5mJ1CWwDANBgkqhkiG9w0BAQsFADAz...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDAzCCAeugAwIBAgIQR9OCJbQGGQT5Pgp7PmLrDTANBgkqhkiG9w0BAQsFADAz...
-----END CERTIFICATE-----
```

After certificate generation, you also need to configure the FIRERPA server to load the certificate at startup for access control to take effect. For Magisk deployment, rename the PEM to `lamda.pem` and place it into the module package as described in the [Installing Server](./install-server.md) Magisk section. After the configuration takes effect and the service restarts, the remote desktop, API, and supporting tools will operate under HTTPS and certificate requirements.
<br>
<br>
For manual installation, you can pass the certificate by adding the command-line argument `--certificate=/path/to/lamda.pem` after `launch.sh`, or by setting the `cert` configuration item in [Service Configuration](./properties.md).

```{note}
After enabling the service certificate, [Remote Desktop](./remote-desktop.md) must be accessed using the https:// protocol, and the above password must be entered in the WebUI. You can also set an alternative login password via the `ssl-web-credential` item in [Service Configuration](./properties.md). When connecting with the Python client, specify the PEM path in the Device constructor (see [API Preparation](./api-prepare.md)). For command-line tools in the tools directory, specify the path via the CERTIFICATE environment variable (see [Tool Preparation](./tools-prepare.md)).
```