When HTTPS-enabled domains are blocked by a policy, Cisco Umbrella presents a block page to you which is also served over HTTPS. This block page is encrypted with a certificate signed by the Cisco Umbrella Root CA. In order to avoid certificate errors when accessing the block page, you must install the Cisco Umbrella Root CA in your browser, or if you have a network of computers, in your users' browsers.
Why take this step?
Cisco Umbrella DNS' Block Page and Block Page Bypass feature presents an SSL certificate to browsers that make connections to HTTPS sites. The certificate will match the requested site but will be signed by the Cisco Umbrella Root Certificate Authority (CA) or the Cisco Umbrella Root Certificate Authority. If the Cisco Umbrella Root CA is not trusted by your browser, an error may be displayed. Typical errors include:
- "The security certificate presented by this website was not issued by a trusted certificate authority." (Internet Explorer)
- "The site's security certificate is not trusted!" (Google Chrome)
- "This Connection is Untrusted." (Mozilla Firefox).
Although the error is expected, the messages displayed can be confusing and annoying and you may wish to stop them from appearing.
To avoid these errors entirely, install the Cisco Umbrella Root CA in your browser, or the browsers of your users (if you're a network admin). This can be done on a per-browser, per-machine basis for personal use or for small deployments.
For larger deployments, you can set up an automatic installation via Group Policy (GPO). Note that the automatic installation via GPO will only work for users with Internet Explorer or Chrome on Windows systems. As such, if your network includes some users who use Firefox or Safari browsers, and for users on non-Windows operating systems, the manual installation procedures must be followed.
This article describes the procedures required to manually install the Cisco Umbrella Root CA in your browser
For advanced users or systems administrators with larger networks, this article also describes how to install the Cisco Umbrella Root CA automatically (via Active Directory Group Policy Objects) for a group of users in Microsoft Windows Active Directory. This automatic installation of the Root CA only works for users with Internet Explorer or Chrome on Windows systems, so if your network includes some users who use Firefox or Safari browsers, and for users on non-Windows operating systems, the manual installation procedures must be followed for those users. For Firefox, a special set of instructions can be followed with a third-party extension, as covered in the sections below.
Important: You must be a local administrator over the computer (or a network administrator over the network) in order to perform these steps.
The procedures included in this article are:
- Manually Installing the Root CA (Single Computer)
- Installing the CA in Internet Explorer & Chrome on Windows
- Installing the CA in Firefox 2 on Windows
- Installing the CA in Safari on Mac OS X
- Installing the CA on macOS X Command line
- Installing the CA in Chromium or Chrome on Linux
- Advanced: Automatically Installing the Cisco Umbrella Root CA (For an Active Directory Network)
- Download the Certificate
Installing the Root CA on a single computer
The following three procedures describe the manual methods for installing the Cisco Umbrella Root CA in Internet Explorer, Firefox, and Safari browsers on an individual computer.
Installing the CA in Internet Explorer or Chrome on Windows
To manually install the Cisco Umbrella Root CA in your Internet Explorer browser, use the following procedure. Chrome uses Internet Explorer's certificate store, so the same procedure will also configure Chrome.
- Download the Cisco Umbrella Root CA file below.
- Note: If the Open File - Security Warning dialog is displayed, select Open.
- Select Install Certificate.
- In the Certificate Import Wizard window, select Next.
- In the Certificate Store window, select "Place all certificates in the following store," and then select Browse.
- In the Select Certificate Store window, select "Trusted Root Certification Authorities" and select OK.
- In the Certificate Store window, the "Certificate store:" shows "Trusted Root Certification Authorities." Select Next > Finish.
- In the Security Warning windows, select Yes to install the certificate.
- The Certificate Import Wizard will notify you, "The import was successful." Select OK to finish.
- Exit Internet Explorer and restart it.
Installing the CA in Firefox on Windows
To manually install the Root CA in your Firefox browser on Windows, use the following procedure. This procedure assumes that you, the computer administrator, have already downloaded the Root CA and that you have sufficient access privileges to install the certificate on the local system.
- Download the Cisco Umbrella Root CA file from the links at the bottom of this article, or from the Cisco Umbrella dashboard.
- Select the "Open Menu" icon near the top right corner of the browser window.
- Select Options > Advanced > Certificates > View Certificates > Authorities > Import....
- Browse for and select the Cisco Umbrella Root Cert, downloaded in the first step.
- Select "Trust this CA to identify websites", then select OK.
- Restart the Firefox browser.
The Firefox certificate store can also be manipulated from the command line using the certutil tool from the NSS Tools package.
Installing the CA in Safari on macOS X
To manually install the Cisco Umbrella Root CA in your Safari browser on Mac OS X, use the following procedure. You must be the computer administrator to perform this action.
- Download the Cisco Umbrella Root CA file from the links at the bottom of this article, or from the Cisco Umbrella Dashboard.
- Double-click the file or drag and drop it on top of the Keychain Access icon in the Applications > Utilities folder. The Add Certificate window is displayed. Select Always Trust.
- Double-click the Cisco Umbrella Root CA to open its properties window. Change the When using this certificate pulldown to Always Trust (as in the screenshot below).
Installing the CA on macOS X Command line
To install the Root CA on the macOS X command line, download the Cisco Umbrella Root CA and run the following commands. You must be the computer administrator to perform this action.
sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain /path/to/Cisco_Umbrella_Root_CA.cer
Installing the CA in Chromium or Chrome on Linux
If you want to manually install the Root CA in a Chromium-based browser in Linux, use the following procedure.
- Download the Cisco Umbrella Root CA file from the links at the bottom of this article.
- Open Chromium Settings.
- Scroll down to HTTPS/SSL.
- Click Manage certificates...
- Click Authorities.
- Click Import.
- Select the Cisco_Umbrella_Root_CA.cer and select Open
- Select "Trust this CA to identify Websites."
- Select OK.
Advanced: Automatically Installing the Root CA
As a network administrator of an Active Directory network environment, you can automatically install the Cisco Umbrella Root CA in all of your users' browsers by creating a Group Policy Object (GPO) on your Active Directory server. This can be created by using either the Microsoft Management Console (MMC) or the Group Policy Management Console (GPMC).
Installing the CA with Group Policy Using the Microsoft Management Console (MMC)
- Download the Cisco Umbrella Root CA below.
- Log in to your Active Directory server using a domain administrator account.
- Select Start > All Programs > Administrative Tools > Active Directory Users and Computers. The Microsoft Management Console (MMC) is displayed.
- To create a domain-wide policy, right-click on your domain root Organizational Unit (OU), which is displayed as your domain name, and select Properties from the context menu.
- In the <OU_Name> Properties dialog box, select the Group Policy tab.
- Select New and name the policy Cisco Certificate Installer, then press Enter on your keyboard.
- Select the new Group Policy Object and select Edit. The Group Policy Object Editor is displayed.
- In the left configuration options sidebar, expand Computer Configuration > Windows Settings > Security Settings > Public Key Policies. Right-click Trusted Root Certification Authorities, and select Import from the context menu.
- In the Certificate Import Wizard, click Next, and in the File to Import page, select Browse and navigate to where you downloaded the certificate authority on your local system, and double-click the Cisco_Umbrella_Root_CA.cer file.
- With the full path to the certificate displayed in the File name field, select Next.
- Accept the default option called "Place all certificates in the following store (Trusted Root Certification Authorities)", select Next, and then select Finish > OK.
You have now created the Group Policy Objects to install the certificate on all the computers in your domain. The new policy may not take effect immediately on all client machines. By default, the background synchronization processing happens every 90 to 120 minutes at randomized times. Rebooting the client machines will force the synchronization.
You can check that the Group Policy has propagated to all computers in the domain by opening Internet Explorer on a workstation PC, then opening Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities, and ensuring that the Cisco Umbrella Root CA certificate is present.
Installing the CA with Group Policy Using the Group Policy Management Console (GPMC)
The Microsoft Group Policy Management Console (GPMC) with Service Pack 1 (SP1) unifies the management of Group Policy across the enterprise. The GPMC consists of an MMC snap-in and a set of programmable interfaces for managing Group Policy.
- Download the Cisco Umbrella Root CAs below.
- Log in to your Active Directory server using a domain administrator account.
- Select Start > All Programs > Administrative Tools > Group Policy Management. The Group Policy Management Console (GPMC) is displayed.
- To create a domain-wide policy, right-click on your domain root Organizational Unit (OU), which is displayed as your domain name, and select Create and Link a GPO Here from the context menu. The New GPO dialog box is displayed.
- In the Name field of the New GPO dialog box, enter a meaningful name for the policy object, such as "Cisco Certificate Installer."
- Right-click the new Group Policy Object, "Cisco Certificate Installer," on the right side of the window, and select Edit from the context menu. The Group Policy Object Editor is displayed.
- In the left configuration options sidebar, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies, right-click Trusted Root Certification Authorities, and select Import from the context menu.
- In the Certificate Import Wizard select Next, and in the File to Import page, select Browse and navigate to where you downloaded the certificate authority on your local system, and double-click the Cisco_Umbrella_Root_CA.cer file.
- With the full path to the certificate displayed in the File name field, select Next.
- Accept the default option, "Place all certificates in the following store (Trusted Root Certification Authorities)", select Next, and then select Finish > OK.
You have now created the Group Policy Object to install the certificates on all the computers in your domain. The new policy may not take effect immediately on all client machines. By default, the background synchronization processing only happens every 90 to 120 minutes (at randomized times). Rebooting the client machines will force the synchronization.
You can check that the Group Policy has propagated to all computers in the domain by opening Internet Explorer on a workstation PC, opening Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities, and ensuring that the Cisco Umbrella Root CA certificate is present.
Installing the CAs in Firefox using Group Policy
By default, Group Policy cannot configure Firefox. To do so, Group Policy must be extended to include configuration options for Firefox. Firefox ADMX is a way of allowing centrally managed locked and/or default settings in Firefox via Group Policy and Administrative Templates in Active Directory. Firefox ADMX is a continuation of Firefox ADM by Mark Sammons.
You can find installation instructions on the FirefoxADMX website.