Service Certificate

Attention

The service certificate in this chapter is different from the MITM capture certificate described in Installing MITM Certificate; the latter is installed in the Android system trust store to make the app trust the proxy for traffic interception. The service certificate is a PEM format file loaded by the FIRERPA server and held by the client, used to encrypt the FIRERPA communication link and verify the visitor's identity.

This chapter introduces the generation and deployment of the FIRERPA service certificate. The FIRERPA server does not enable authentication by default; anyone on the same network who knows the device IP and port can connect to the remote desktop, call the API, or use SSH. If you need to use it in an untrusted network environment or require TLS encryption for communication, you should enable access control via a service certificate.

Note

When installing the server via the APP, you can enable authentication in the APP's Configuration, and the APP will automatically generate and set the certificate, eliminating the need to follow the generation steps below. For Magisk module or manual deployment, you need to follow the steps in this chapter to generate and manually deploy the certificate.

Before generating the certificate, you must complete Tool Preparation on the PC, clone the lamda repository, and install Python dependencies in the tools directory. In the tools directory, run cert.py, replacing the argument with the hostname used to access the device.

python3 cert.py mydevice.local

After successful execution, the current directory will generate mydevice.local.pem and root.crt, root.key. The .pem file is used by the server to enable TLS and by the client to verify identity; root.crt and root.key are the root certificate key pair, which are not normally used for day-to-day connections but should be kept safe for future replacement or troubleshooting.

The first line of the generated PEM file is a metadata comment, where the PASSWD field value is the default remote desktop login credential. Do not manually edit the private key or certificate content in the PEM file, as this may cause the server to fail to start or client verification to be abnormal. The certificate file format is as follows, with each block being key, cert, CA in strict order.

LAMDA SSL CERTIFICATE (CN=mydevice.local,PASSWD=e908d358...)
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA33YUKkfUkLeWtsCe7A1yzIZsqOTd1a8XWr9+Vh0ombOdtnqK...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIC1DCCAbygAwIBAgIQBKjY0w1FbPJooD5mJ1CWwDANBgkqhkiG9w0BAQsFADAz...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDAzCCAeugAwIBAgIQR9OCJbQGGQT5Pgp7PmLrDTANBgkqhkiG9w0BAQsFADAz...
-----END CERTIFICATE-----

After certificate generation, you also need to configure the FIRERPA server to load the certificate at startup for access control to take effect. For Magisk deployment, rename the PEM to lamda.pem and place it into the module package as described in the Installing Server Magisk section. After the configuration takes effect and the service restarts, the remote desktop, API, and supporting tools will operate under HTTPS and certificate requirements.

For manual installation, you can pass the certificate by adding the command-line argument --certificate=/path/to/lamda.pem after launch.sh, or by setting the cert configuration item in Service Configuration.

Note

After enabling the service certificate, Remote Desktop must be accessed using the https:// protocol, and the above password must be entered in the WebUI. You can also set an alternative login password via the ssl-web-credential item in Service Configuration. When connecting with the Python client, specify the PEM path in the Device constructor (see API Preparation). For command-line tools in the tools directory, specify the path via the CERTIFICATE environment variable (see Tool Preparation).