From 32503424e8f0d03dcd6236a58a0e878a8a3c0720 Mon Sep 17 00:00:00 2001
From: Aaron <aaron@pikit.local>
Date: Sat, 13 Dec 2025 13:54:10 -0500
Subject: [PATCH] Onboarding: explain HTTPS, allow HTTP CA download

---
 pikit-web/onboarding/index.html | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/pikit-web/onboarding/index.html b/pikit-web/onboarding/index.html
index ea16ff9..589f43c 100644
--- a/pikit-web/onboarding/index.html
+++ b/pikit-web/onboarding/index.html
@@ -4,7 +4,7 @@
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>Welcome to your Pi-Kit</title>
-    <link rel="stylesheet" href="/onboarding/style.css" />
+    <link rel="stylesheet" href="/onboarding/style.css?v=2" />
   </head>
   <body>
     <main class="card">
@@ -27,7 +27,23 @@
 
       <section class="actions">
         <button id="continueBtn">Continue to secure dashboard</button>
-        <a class="ghost" id="downloadCa" href="/assets/pikit-ca.crt" download>Download Pi-Kit CA</a>
+        <a
+          class="ghost"
+          id="downloadCa"
+          href="http://pikit.local/assets/pikit-ca.crt"
+          download
+        >
+          Download Pi-Kit CA
+        </a>
+      </section>
+
+      <section class="steps">
+        <h3>Why switch to HTTPS?</h3>
+        <ul>
+          <li>Encrypts traffic on your LAN so no one can snoop your Pi-Kit or DietPi dashboards.</li>
+          <li>Stops mixed-content / “not secure” browser warnings.</li>
+          <li>Needed for some browser features (clipboard, notifications, service workers).</li>
+        </ul>
       </section>
 
       <section class="steps">
@@ -44,12 +60,12 @@
         <p>This removes future warnings for both Pi-Kit and DietPi dashboards.</p>
         <details>
           <summary>Linux (Arch/Endeavour)</summary>
-          <code id="archCmd">curl -s https://pikit.local/assets/pikit-ca.crt -o /tmp/pikit-ca.crt && sudo install -m644 /tmp/pikit-ca.crt /etc/ca-certificates/trust-source/anchors/ && sudo trust extract-compat</code>
+          <code id="archCmd">curl -s http://pikit.local/assets/pikit-ca.crt -o /tmp/pikit-ca.crt && sudo install -m644 /tmp/pikit-ca.crt /etc/ca-certificates/trust-source/anchors/ && sudo trust extract-compat</code>
           <button class="copy" data-target="archCmd">Copy</button>
         </details>
         <details>
           <summary>Linux (Debian/Ubuntu)</summary>
-          <code id="debCmd">curl -s https://pikit.local/assets/pikit-ca.crt -o /tmp/pikit-ca.crt && sudo cp /tmp/pikit-ca.crt /usr/local/share/ca-certificates/pikit-ca.crt && sudo update-ca-certificates</code>
+          <code id="debCmd">curl -s http://pikit.local/assets/pikit-ca.crt -o /tmp/pikit-ca.crt && sudo cp /tmp/pikit-ca.crt /usr/local/share/ca-certificates/pikit-ca.crt && sudo update-ca-certificates</code>
           <button class="copy" data-target="debCmd">Copy</button>
         </details>
         <details>