feat(GODT-2771): gRPC calls for TLS certificates.

2025-12-10 04:36:43 +00:00 · 2023-08-17 10:22:56 +02:00
parent 2d6f42e0b5
commit f57a40677e
14 changed files with 1578 additions and 1073 deletions
--- a/internal/certs/cert_store_linux.go
+++ b/internal/certs/cert_store_linux.go
@ -24,3 +24,7 @@ func installCert([]byte) error {
 func uninstallCert([]byte) error {
 	return nil // Linux doesn't have a root cert store.
 }
+
+func isCertInstalled([]byte) error {
+	return false
+}
--- a/internal/certs/cert_store_windows.go
+++ b/internal/certs/cert_store_windows.go
@ -24,3 +24,7 @@ func installCert([]byte) error {
 func uninstallCert([]byte) error {
 	return nil // NOTE(GODT-986): Uninstall certs from root cert store?
 }
+
+func isCertInstalled([]byte) error {
+	return false
+}
--- a/internal/frontend/bridge-gui/bridge-gui/QMLBackend.cpp
+++ b/internal/frontend/bridge-gui/bridge-gui/QMLBackend.cpp
@ -278,6 +278,28 @@ void QMLBackend::clearAnswers() {
 }


+//****************************************************************************************************************************************************
+/// \return true iff the Bridge TLS certificate is installed.
+//****************************************************************************************************************************************************
+bool QMLBackend::isTLSCertificateInstalled() {
+    HANDLE_EXCEPTION_RETURN_BOOL(
+        bool v = false;
+        app().grpc().isTLSCertificateInstalled(v);
+        return v;
+    )
+}
+
+
+//****************************************************************************************************************************************************
+//
+//****************************************************************************************************************************************************
+void QMLBackend::installTLSCertificate() {
+    HANDLE_EXCEPTION(
+        app().grpc().installTLSCertificate();
+    )
+}
+
+
 //****************************************************************************************************************************************************
 /// \return The value for the 'showOnStartup' property.
 //****************************************************************************************************************************************************
@ -1267,6 +1289,9 @@ void QMLBackend::connectGrpcEvents() {
    connect(client, &GRPCClient::reportBugSuccess, this, &QMLBackend::bugReportSendSuccess);
    connect(client, &GRPCClient::reportBugFallback, this, &QMLBackend::bugReportSendFallback);
    connect(client, &GRPCClient::reportBugError, this, &QMLBackend::bugReportSendError);
+    connect(client, &GRPCClient::certificateInstallSuccess, this, &QMLBackend::certificateInstallSuccess);
+    connect(client, &GRPCClient::certificateInstallCanceled, this, &QMLBackend::certificateInstallCanceled);
+    connect(client, &GRPCClient::certificateInstallFailed, this, &QMLBackend::certificateInstallFailed);
    connect(client, &GRPCClient::showMainWindow, [&]() { this->showMainWindow("gRPC showMainWindow event"); });

    // cache events
--- a/internal/frontend/bridge-gui/bridge-gui/QMLBackend.h
+++ b/internal/frontend/bridge-gui/bridge-gui/QMLBackend.h
@ -64,6 +64,8 @@ public: // member functions.
    Q_INVOKABLE QString getQuestionAnswer(quint8 questionId) const; ///< Get the answer for a given question.
    Q_INVOKABLE QString collectAnswers(quint8 categoryId) const; ///< Collect answer for a given set of questions.
    Q_INVOKABLE void clearAnswers(); ///< Clear all collected answers.
+    Q_INVOKABLE bool isTLSCertificateInstalled(); ///< Check if the bridge certificate is installed in the OS keychain.
+    Q_INVOKABLE void installTLSCertificate(); ///< Installs the Bridge TLS certificate in the Keychain.

 public: // Qt/QML properties. Note that the NOTIFY-er signal is required even for read-only properties (QML warning otherwise)
    Q_PROPERTY(bool showOnStartup READ showOnStartup NOTIFY showOnStartupChanged)
@ -268,6 +270,9 @@ signals: // Signals received from the Go backend, to be forwarded to QML
    void bugReportSendSuccess(); ///< Signal for the 'bugReportSendSuccess' gRPC stream event.
    void bugReportSendFallback(); ///< Signal for the 'bugReportSendFallback' gRPC stream event.
    void bugReportSendError(); ///< Signal for the 'bugReportSendError' gRPC stream event.
+    void certificateInstallSuccess(); ///< Signal for the 'certificateInstallSuccess' gRPC stream event.
+    void certificateInstallCanceled(); ///< Signal for the 'certificateInstallCanceled' gRPC stream event.
+    void certificateInstallFailed(); /// Signal for the 'certificateInstallFailed' gRPC stream event.
    void showMainWindow(); ///< Signal for the 'showMainWindow' gRPC stream event.
    void hideMainWindow(); ///< Signal for the 'hideMainWindow' gRPC stream event.
    void showHelp(); ///< Signal for the 'showHelp' event (from the context menu).
--- a/internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/EventFactory.cpp
+++ b/internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/EventFactory.cpp
@ -202,6 +202,39 @@ SPStreamEvent newReportBugErrorEvent() {
 }


+//****************************************************************************************************************************************************
+/// \return The event.
+//****************************************************************************************************************************************************
+SPStreamEvent newCertificateInstallSuccessEvent() {
+    auto event = new grpc::CertificateInstallSuccessEvent;
+    auto appEvent = new grpc::AppEvent;
+    appEvent->set_allocated_certificateinstallsuccess(event);
+    return wrapAppEvent(appEvent);
+}
+
+
+//****************************************************************************************************************************************************
+/// \return The event.
+//****************************************************************************************************************************************************
+SPStreamEvent newCertificateInstallCanceledEvent() {
+    auto event = new grpc::CertificateInstallCanceledEvent;
+    auto appEvent = new grpc::AppEvent;
+    appEvent->set_allocated_certificateinstallcanceled(event);
+    return wrapAppEvent(appEvent);
+}
+
+
+//****************************************************************************************************************************************************
+/// \return The event.
+//****************************************************************************************************************************************************
+SPStreamEvent newCertificateInstallFailedEvent() {
+    auto event = new grpc::CertificateInstallFailedEvent;
+    auto appEvent = new grpc::AppEvent;
+    appEvent->set_allocated_certificateinstallfailed(event);
+    return wrapAppEvent(appEvent);
+}
+
+
 //****************************************************************************************************************************************************
 /// \return The event.
 //****************************************************************************************************************************************************
--- a/internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/EventFactory.h
+++ b/internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/EventFactory.h
@ -34,6 +34,9 @@ SPStreamEvent newResetFinishedEvent(); ///< Create a new ResetFinishedEvent even
 SPStreamEvent newReportBugFinishedEvent(); ///< Create a new ReportBugFinishedEvent event.
 SPStreamEvent newReportBugSuccessEvent(); ///< Create a new ReportBugSuccessEvent event.
 SPStreamEvent newReportBugErrorEvent(); ///< Create a new ReportBugErrorEvent event.
+SPStreamEvent newCertificateInstallSuccessEvent(); ///< Create a new CertificateInstallSuccessEvent event.
+SPStreamEvent newCertificateInstallCanceledEvent(); ///< Create a new CertificateInstallCanceledEvent event.
+SPStreamEvent newCertificateInstallFailedEvent(); ///< Create anew CertificateInstallFailedEvent event.
 SPStreamEvent newShowMainWindowEvent(); ///< Create a new ShowMainWindowEvent event.

 // Login events
--- a/internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/GRPCClient.cpp
+++ b/internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/GRPCClient.cpp
@ -373,14 +373,6 @@ grpc::Status GRPCClient::reportBug(QString const &category, QString const &descr
 }


-//****************************************************************************************************************************************************
-/// \param[in] folderPath of the folder where the TLS files should be stored.
-//****************************************************************************************************************************************************
-grpc::Status GRPCClient::exportTLSCertificates(QString const &folderPath) {
-    return this->logGRPCCallStatus(this->setString(&Bridge::Stub::ExportTLSCertificates, folderPath), __FUNCTION__);
-}
-
-
 //****************************************************************************************************************************************************
 /// \param[out] outIMAPPort The IMAP port.
 /// \param[out] outSMTPPort The SMTP port.
@ -811,6 +803,32 @@ grpc::Status GRPCClient::setCurrentKeychain(QString const &keychain) {
 }


+//****************************************************************************************************************************************************
+/// \param[out] isInstalled is The Bridge certificate installed in the keychain.
+/// \return The status for the call
+//****************************************************************************************************************************************************
+grpc::Status GRPCClient::isTLSCertificateInstalled(bool isInstalled) {
+    return this->logGRPCCallStatus(this->getBool(&Bridge::Stub::IsTLSCertificateInstalled, isInstalled), __FUNCTION__);
+}
+
+
+//****************************************************************************************************************************************************
+/// \return The status for the gRPC call.
+//****************************************************************************************************************************************************
+grpc::Status GRPCClient::installTLSCertificate() {
+    return this->logGRPCCallStatus(this->simpleMethod(&Bridge::Stub::InstallTLSCertificate), __FUNCTION__);
+}
+
+
+//****************************************************************************************************************************************************
+/// \param[in] folderPath of the folder where the TLS files should be stored.
+/// \return The status for the gRPC call.
+//****************************************************************************************************************************************************
+grpc::Status GRPCClient::exportTLSCertificates(QString const &folderPath) {
+    return this->logGRPCCallStatus(this->setString(&Bridge::Stub::ExportTLSCertificates, folderPath), __FUNCTION__);
+}
+
+
 //****************************************************************************************************************************************************
 /// \return true iff the event stream is active.
 //****************************************************************************************************************************************************
@ -1134,6 +1152,18 @@ void GRPCClient::processAppEvent(AppEvent const &event) {
        this->logTrace("App event received: ReportBugFallback.");
        emit reportBugFallback();
        break;
+    case AppEvent::kCertificateInstallSuccess:
+        this->logTrace("App event received: CertificateInstallSuccess.");
+        emit certificateInstallSuccess();
+        break;
+    case AppEvent::kCertificateInstallCanceled:
+        this->logTrace("App event received: CertificateInstallCanceled.");
+        emit certificateInstallCanceled();
+        break;
+    case AppEvent::kCertificateInstallFailed:
+        this->logTrace("App event received: CertificateInstallFailed.");
+        emit certificateInstallFailed();
+        break;
    default:
        this->logError("Unknown App event received.");
    }
@ -1517,4 +1547,5 @@ grpc::Status GRPCClient::KBArticleClicked(QString const &article) {
    return this->logGRPCCallStatus(stub_->KBArticleClicked(this->clientContext().get(), s, &empty), __FUNCTION__);
 }

+
 } // namespace bridgepp
--- a/internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/GRPCClient.h
+++ b/internal/frontend/bridge-gui/bridgepp/bridgepp/GRPC/GRPCClient.h
@ -78,7 +78,6 @@ public: // member functions.
    grpc::Status setColorSchemeName(QString const &name); ///< Performs the "setColorSchemeName' gRPC call.
    grpc::Status currentEmailClient(QString &outName); ///< Performs the 'currentEmailClient' gRPC call.
    grpc::Status reportBug(QString const &category, QString const &description, QString const &address, QString const &emailClient, bool includeLogs); ///< Performs the 'ReportBug' gRPC call.
-    grpc::Status exportTLSCertificates(QString const &folderPath); ///< Performs the 'ExportTLSCertificates' gRPC call.
    grpc::Status quit(); ///< Perform the "Quit" gRPC call.
    grpc::Status restart(); ///< Performs the Restart gRPC call.
    grpc::Status triggerReset(); ///< Performs the triggerReset gRPC call.
@ -103,6 +102,9 @@ signals: // app related signals
    void reportBugSuccess();
    void reportBugError();
    void reportBugFallback();
+    void certificateInstallSuccess();
+    void certificateInstallCanceled();
+    void certificateInstallFailed();
    void showMainWindow();

    // cache related calls
@ -201,6 +203,11 @@ public: // keychain related calls
    grpc::Status currentKeychain(QString &outKeychain);
    grpc::Status setCurrentKeychain(QString const &keychain);

+public: // cert related calls
+    grpc::Status isTLSCertificateInstalled(bool isInstalled); ///< Perform the 'IsTLSCertificateInstalled' gRPC call.
+    grpc::Status installTLSCertificate(); ///< Perform the 'InstallTLSCertificate' gRPC call.
+    grpc::Status exportTLSCertificates(QString const &folderPath); ///< Performs the 'ExportTLSCertificates' gRPC call.
+
 signals:
    void changeKeychainFinished();
    void hasNoKeychain();
--- a/internal/frontend/grpc/bridge.pb.go
+++ b/internal/frontend/grpc/bridge.pb.go
--- a/internal/frontend/grpc/bridge.proto
+++ b/internal/frontend/grpc/bridge.proto
@ -56,7 +56,6 @@ service Bridge {
  rpc ColorSchemeName(google.protobuf.Empty) returns (google.protobuf.StringValue); // TODO Color scheme should probably entirely be managed by the client.
  rpc CurrentEmailClient(google.protobuf.Empty) returns (google.protobuf.StringValue);
  rpc ReportBug(ReportBugRequest) returns (google.protobuf.Empty);
-  rpc ExportTLSCertificates(google.protobuf.StringValue) returns (google.protobuf.Empty);
  rpc ForceLauncher(google.protobuf.StringValue) returns (google.protobuf.Empty);
  rpc SetMainExecutable(google.protobuf.StringValue) returns (google.protobuf.Empty);

@ -103,6 +102,11 @@ service Bridge {
  rpc AutoconfigClicked(google.protobuf.StringValue) returns (google.protobuf.Empty);
  rpc KBArticleClicked(google.protobuf.StringValue) returns (google.protobuf.Empty);

+  // TLS certificate related calls
+  rpc IsTLSCertificateInstalled(google.protobuf.Empty) returns (google.protobuf.BoolValue);
+  rpc InstallTLSCertificate(google.protobuf.Empty) returns (google.protobuf.Empty);
+  rpc ExportTLSCertificates(google.protobuf.StringValue) returns (google.protobuf.Empty);
+
  // Server -> Client event stream
  rpc RunEventStream(EventStreamRequest) returns (stream StreamEvent); // Keep streaming until StopEventStream is called.
  rpc StopEventStream(google.protobuf.Empty) returns (google.protobuf.Empty);
@ -262,6 +266,9 @@ message AppEvent {
    ReportBugErrorEvent reportBugError = 6;
    ShowMainWindowEvent showMainWindow = 7;
    ReportBugFallbackEvent reportBugFallback = 8;
+    CertificateInstallSuccessEvent certificateInstallSuccess = 9;
+    CertificateInstallCanceledEvent certificateInstallCanceled = 10;
+    CertificateInstallFailedEvent certificateInstallFailed = 11;
  }
 }

@ -276,6 +283,9 @@ message ReportBugSuccessEvent {}
 message ReportBugErrorEvent {}
 message ShowMainWindowEvent {}
 message ReportBugFallbackEvent {}
+message CertificateInstallSuccessEvent {}
+message CertificateInstallCanceledEvent {}
+message CertificateInstallFailedEvent {}

 //**********************************************************
 // Login related events
--- a/internal/frontend/grpc/bridge_grpc.pb.go
+++ b/internal/frontend/grpc/bridge_grpc.pb.go
@ -51,7 +51,6 @@ type BridgeClient interface {
 	ColorSchemeName(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*wrapperspb.StringValue, error)
 	CurrentEmailClient(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*wrapperspb.StringValue, error)
 	ReportBug(ctx context.Context, in *ReportBugRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
-	ExportTLSCertificates(ctx context.Context, in *wrapperspb.StringValue, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	ForceLauncher(ctx context.Context, in *wrapperspb.StringValue, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	SetMainExecutable(ctx context.Context, in *wrapperspb.StringValue, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	// login
@ -90,6 +89,10 @@ type BridgeClient interface {
 	ReportBugClicked(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	AutoconfigClicked(ctx context.Context, in *wrapperspb.StringValue, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	KBArticleClicked(ctx context.Context, in *wrapperspb.StringValue, opts ...grpc.CallOption) (*emptypb.Empty, error)
+	// TLS certificate related calls
+	IsTLSCertificateInstalled(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*wrapperspb.BoolValue, error)
+	InstallTLSCertificate(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
+	ExportTLSCertificates(ctx context.Context, in *wrapperspb.StringValue, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	// Server -> Client event stream
 	RunEventStream(ctx context.Context, in *EventStreamRequest, opts ...grpc.CallOption) (Bridge_RunEventStreamClient, error)
 	StopEventStream(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error)
@ -337,15 +340,6 @@ func (c *bridgeClient) ReportBug(ctx context.Context, in *ReportBugRequest, opts
 	return out, nil
 }

-func (c *bridgeClient) ExportTLSCertificates(ctx context.Context, in *wrapperspb.StringValue, opts ...grpc.CallOption) (*emptypb.Empty, error) {
-	out := new(emptypb.Empty)
-	err := c.cc.Invoke(ctx, "/grpc.Bridge/ExportTLSCertificates", in, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *bridgeClient) ForceLauncher(ctx context.Context, in *wrapperspb.StringValue, opts ...grpc.CallOption) (*emptypb.Empty, error) {
 	out := new(emptypb.Empty)
 	err := c.cc.Invoke(ctx, "/grpc.Bridge/ForceLauncher", in, out, opts...)
@ -625,6 +619,33 @@ func (c *bridgeClient) KBArticleClicked(ctx context.Context, in *wrapperspb.Stri
 	return out, nil
 }

+func (c *bridgeClient) IsTLSCertificateInstalled(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*wrapperspb.BoolValue, error) {
+	out := new(wrapperspb.BoolValue)
+	err := c.cc.Invoke(ctx, "/grpc.Bridge/IsTLSCertificateInstalled", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *bridgeClient) InstallTLSCertificate(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*emptypb.Empty, error) {
+	out := new(emptypb.Empty)
+	err := c.cc.Invoke(ctx, "/grpc.Bridge/InstallTLSCertificate", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *bridgeClient) ExportTLSCertificates(ctx context.Context, in *wrapperspb.StringValue, opts ...grpc.CallOption) (*emptypb.Empty, error) {
+	out := new(emptypb.Empty)
+	err := c.cc.Invoke(ctx, "/grpc.Bridge/ExportTLSCertificates", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *bridgeClient) RunEventStream(ctx context.Context, in *EventStreamRequest, opts ...grpc.CallOption) (Bridge_RunEventStreamClient, error) {
 	stream, err := c.cc.NewStream(ctx, &Bridge_ServiceDesc.Streams[0], "/grpc.Bridge/RunEventStream", opts...)
 	if err != nil {
@ -697,7 +718,6 @@ type BridgeServer interface {
 	ColorSchemeName(context.Context, *emptypb.Empty) (*wrapperspb.StringValue, error)
 	CurrentEmailClient(context.Context, *emptypb.Empty) (*wrapperspb.StringValue, error)
 	ReportBug(context.Context, *ReportBugRequest) (*emptypb.Empty, error)
-	ExportTLSCertificates(context.Context, *wrapperspb.StringValue) (*emptypb.Empty, error)
 	ForceLauncher(context.Context, *wrapperspb.StringValue) (*emptypb.Empty, error)
 	SetMainExecutable(context.Context, *wrapperspb.StringValue) (*emptypb.Empty, error)
 	// login
@ -736,6 +756,10 @@ type BridgeServer interface {
 	ReportBugClicked(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
 	AutoconfigClicked(context.Context, *wrapperspb.StringValue) (*emptypb.Empty, error)
 	KBArticleClicked(context.Context, *wrapperspb.StringValue) (*emptypb.Empty, error)
+	// TLS certificate related calls
+	IsTLSCertificateInstalled(context.Context, *emptypb.Empty) (*wrapperspb.BoolValue, error)
+	InstallTLSCertificate(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
+	ExportTLSCertificates(context.Context, *wrapperspb.StringValue) (*emptypb.Empty, error)
 	// Server -> Client event stream
 	RunEventStream(*EventStreamRequest, Bridge_RunEventStreamServer) error
 	StopEventStream(context.Context, *emptypb.Empty) (*emptypb.Empty, error)
@ -824,9 +848,6 @@ func (UnimplementedBridgeServer) CurrentEmailClient(context.Context, *emptypb.Em
 func (UnimplementedBridgeServer) ReportBug(context.Context, *ReportBugRequest) (*emptypb.Empty, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ReportBug not implemented")
 }
-func (UnimplementedBridgeServer) ExportTLSCertificates(context.Context, *wrapperspb.StringValue) (*emptypb.Empty, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method ExportTLSCertificates not implemented")
-}
 func (UnimplementedBridgeServer) ForceLauncher(context.Context, *wrapperspb.StringValue) (*emptypb.Empty, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ForceLauncher not implemented")
 }
@ -920,6 +941,15 @@ func (UnimplementedBridgeServer) AutoconfigClicked(context.Context, *wrapperspb.
 func (UnimplementedBridgeServer) KBArticleClicked(context.Context, *wrapperspb.StringValue) (*emptypb.Empty, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method KBArticleClicked not implemented")
 }
+func (UnimplementedBridgeServer) IsTLSCertificateInstalled(context.Context, *emptypb.Empty) (*wrapperspb.BoolValue, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method IsTLSCertificateInstalled not implemented")
+}
+func (UnimplementedBridgeServer) InstallTLSCertificate(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method InstallTLSCertificate not implemented")
+}
+func (UnimplementedBridgeServer) ExportTLSCertificates(context.Context, *wrapperspb.StringValue) (*emptypb.Empty, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ExportTLSCertificates not implemented")
+}
 func (UnimplementedBridgeServer) RunEventStream(*EventStreamRequest, Bridge_RunEventStreamServer) error {
 	return status.Errorf(codes.Unimplemented, "method RunEventStream not implemented")
 }
@ -1407,24 +1437,6 @@ func _Bridge_ReportBug_Handler(srv interface{}, ctx context.Context, dec func(in
 	return interceptor(ctx, in, info, handler)
 }

-func _Bridge_ExportTLSCertificates_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(wrapperspb.StringValue)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(BridgeServer).ExportTLSCertificates(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: "/grpc.Bridge/ExportTLSCertificates",
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(BridgeServer).ExportTLSCertificates(ctx, req.(*wrapperspb.StringValue))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _Bridge_ForceLauncher_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(wrapperspb.StringValue)
 	if err := dec(in); err != nil {
@ -1983,6 +1995,60 @@ func _Bridge_KBArticleClicked_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }

+func _Bridge_IsTLSCertificateInstalled_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(emptypb.Empty)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(BridgeServer).IsTLSCertificateInstalled(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/grpc.Bridge/IsTLSCertificateInstalled",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(BridgeServer).IsTLSCertificateInstalled(ctx, req.(*emptypb.Empty))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Bridge_InstallTLSCertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(emptypb.Empty)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(BridgeServer).InstallTLSCertificate(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/grpc.Bridge/InstallTLSCertificate",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(BridgeServer).InstallTLSCertificate(ctx, req.(*emptypb.Empty))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Bridge_ExportTLSCertificates_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(wrapperspb.StringValue)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(BridgeServer).ExportTLSCertificates(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/grpc.Bridge/ExportTLSCertificates",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(BridgeServer).ExportTLSCertificates(ctx, req.(*wrapperspb.StringValue))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _Bridge_RunEventStream_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(EventStreamRequest)
 	if err := stream.RecvMsg(m); err != nil {
@ -2133,10 +2199,6 @@ var Bridge_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "ReportBug",
 			Handler:    _Bridge_ReportBug_Handler,
 		},
-		{
-			MethodName: "ExportTLSCertificates",
-			Handler:    _Bridge_ExportTLSCertificates_Handler,
-		},
 		{
 			MethodName: "ForceLauncher",
 			Handler:    _Bridge_ForceLauncher_Handler,
@ -2261,6 +2323,18 @@ var Bridge_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "KBArticleClicked",
 			Handler:    _Bridge_KBArticleClicked_Handler,
 		},
+		{
+			MethodName: "IsTLSCertificateInstalled",
+			Handler:    _Bridge_IsTLSCertificateInstalled_Handler,
+		},
+		{
+			MethodName: "InstallTLSCertificate",
+			Handler:    _Bridge_InstallTLSCertificate_Handler,
+		},
+		{
+			MethodName: "ExportTLSCertificates",
+			Handler:    _Bridge_ExportTLSCertificates_Handler,
+		},
 		{
 			MethodName: "StopEventStream",
 			Handler:    _Bridge_StopEventStream_Handler,
--- a/internal/frontend/grpc/event_factory.go
+++ b/internal/frontend/grpc/event_factory.go
@ -45,6 +45,18 @@ func NewReportBugFallbackEvent() *StreamEvent {
 	return appEvent(&AppEvent{Event: &AppEvent_ReportBugFallback{ReportBugFallback: &ReportBugFallbackEvent{}}})
 }

+func NewCertInstallSuccessEvent() *StreamEvent {
+	return appEvent(&AppEvent{Event: &AppEvent_CertificateInstallSuccess{CertificateInstallSuccess: &CertificateInstallSuccessEvent{}}})
+}
+
+func NewCertInstallCanceledEvent() *StreamEvent {
+	return appEvent(&AppEvent{Event: &AppEvent_CertificateInstallCanceled{CertificateInstallCanceled: &CertificateInstallCanceledEvent{}}})
+}
+
+func NewCertInstallFailedEvent() *StreamEvent {
+	return appEvent(&AppEvent{Event: &AppEvent_CertificateInstallFailed{CertificateInstallFailed: &CertificateInstallFailedEvent{}}})
+}
+
 func NewShowMainWindowEvent() *StreamEvent {
 	return appEvent(&AppEvent{Event: &AppEvent_ShowMainWindow{ShowMainWindow: &ShowMainWindowEvent{}}})
 }
--- a/internal/frontend/grpc/service_cert.go
+++ b/internal/frontend/grpc/service_cert.go
@ -0,0 +1,79 @@
+// Copyright (c) 2023 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
+
+package grpc
+
+import (
+	"context"
+	"errors"
+	"os"
+	"path/filepath"
+
+	"github.com/ProtonMail/gluon/async"
+	"github.com/ProtonMail/proton-bridge/v3/internal/certs"
+	"google.golang.org/protobuf/types/known/emptypb"
+	"google.golang.org/protobuf/types/known/wrapperspb"
+)
+
+func (s *Service) IsTLSCertificateInstalled(context.Context, *emptypb.Empty) (*wrapperspb.BoolValue, error) {
+	s.log.Info("IsTLSCertificateInstalled")
+
+	cert, _ := s.bridge.GetBridgeTLSCert()
+
+	return &wrapperspb.BoolValue{Value: certs.NewInstaller().IsCertInstalled(cert)}, nil
+}
+
+func (s *Service) InstallTLSCertificate(context.Context, *emptypb.Empty) (*emptypb.Empty, error) {
+	s.log.Info("InstallTLSCertificate")
+
+	go func() {
+		defer async.HandlePanic(s.panicHandler)
+		cert, _ := s.bridge.GetBridgeTLSCert()
+
+		err := certs.NewInstaller().InstallCert(cert)
+		switch {
+		case err == nil:
+			_ = s.SendEvent(NewCertInstallSuccessEvent())
+		case errors.Is(err, certs.ErrUserCanceledCertificateInstall):
+			_ = s.SendEvent(NewCertInstallCanceledEvent())
+		default:
+			_ = s.SendEvent(NewCertInstallFailedEvent())
+		}
+	}()
+
+	return &emptypb.Empty{}, nil
+}
+
+func (s *Service) ExportTLSCertificates(_ context.Context, folderPath *wrapperspb.StringValue) (*emptypb.Empty, error) {
+	s.log.WithField("folderPath", folderPath).Info("ExportTLSCertificates")
+
+	go func() {
+		defer async.HandlePanic(s.panicHandler)
+
+		cert, key := s.bridge.GetBridgeTLSCert()
+
+		if err := os.WriteFile(filepath.Join(folderPath.Value, "cert.pem"), cert, 0o600); err != nil {
+			_ = s.SendEvent(NewGenericErrorEvent(ErrorCode_TLS_CERT_EXPORT_ERROR))
+		}
+
+		if err := os.WriteFile(filepath.Join(folderPath.Value, "key.pem"), key, 0o600); err != nil {
+			_ = s.SendEvent(NewGenericErrorEvent(ErrorCode_TLS_KEY_EXPORT_ERROR))
+		}
+	}()
+
+	return &emptypb.Empty{}, nil
+}
--- a/internal/frontend/grpc/service_methods.go
+++ b/internal/frontend/grpc/service_methods.go
@ -21,8 +21,6 @@ import (
 	"context"
 	"encoding/base64"
 	"errors"
-	"os"
-	"path/filepath"
 	"runtime"

 	"github.com/Masterminds/semver/v3"
@ -364,26 +362,6 @@ func (s *Service) ReportBug(_ context.Context, report *ReportBugRequest) (*empty
 	return &emptypb.Empty{}, nil
 }

-func (s *Service) ExportTLSCertificates(_ context.Context, folderPath *wrapperspb.StringValue) (*emptypb.Empty, error) {
-	s.log.WithField("folderPath", folderPath).Info("ExportTLSCertificates")
-
-	go func() {
-		defer async.HandlePanic(s.panicHandler)
-
-		cert, key := s.bridge.GetBridgeTLSCert()
-
-		if err := os.WriteFile(filepath.Join(folderPath.Value, "cert.pem"), cert, 0o600); err != nil {
-			_ = s.SendEvent(NewGenericErrorEvent(ErrorCode_TLS_CERT_EXPORT_ERROR))
-		}
-
-		if err := os.WriteFile(filepath.Join(folderPath.Value, "key.pem"), key, 0o600); err != nil {
-			_ = s.SendEvent(NewGenericErrorEvent(ErrorCode_TLS_KEY_EXPORT_ERROR))
-		}
-	}()
-
-	return &emptypb.Empty{}, nil
-}
-
 func (s *Service) ForceLauncher(_ context.Context, launcher *wrapperspb.StringValue) (*emptypb.Empty, error) {
 	s.log.WithField("launcher", launcher.Value).Debug("ForceLauncher")