The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find our comprehensive guides designed to help you use with Cisco Umbrella.

Get Started    

Install the Cisco Certificate

Advanced Cisco Umbrella features, such as IP Layer Enforcement, SSL Decryption through the intelligent proxy and the ability to block your own custom URLs require that the Cisco Umbrella root certificate be installed locally. Other features, such as File Inspection, gain greater efficacy from having the certificate present as Umbrella is able to proxy and block more traffic.

The root certificate is needed in any circumstances where Umbrella must proxy and decrypt HTTPS traffic intended for a website. Therefore it is required for these core features:

  • Block Pages - If you visit a blocked domain via HTTPS you need the root certificate installed to enable Umbrella to present a block page without the browser presenting an error to the user.
  • Intelligent Proxy with SSL Decryption - If a domain is being proxied we need the root certificate to be able to decrypt the HTTPS traffic without the browser presenting an error to the user.

Other features are dependent on SSL Decryption functionality, which requires the root certificate Having the SSL Decryption feature improves:

  • Custom URL Blocking - Required to block the HTTPS version of a URL.
  • Application Block/Allow - These are new features on the Application Settings page, which control applications by name. Depending on the application, we may have data to block the application via an entire domain (DNS level) or by specific URLs. This feature works more effectively if you enable SSL Decryption. (The Allow feature is not yet available to all customers.)
  • File Inspection - Having SSL Decryption enabled enables us to scan files downloaded from HTTPS websites. It also greatly increases the number of domains subject to proxying and file scanning.
  • IP Layer Enforcement - Many IP addresses are considered 'grey' and subject to further inspection by the intelligent proxy. HTTPS decryption must be enabled to inspect traffic to these IP addresses by HTTPS.

For more about the importance of SSL Decryption, watch Cisco Umbrella SSL Decryption.

Why Take These Steps?

Umbrella’s Block Page and Block Page Bypass feature present an SSL certificate to browsers that make connections to HTTPS sites. The certificate will match the requested site but will be signed by the Cisco Root Certificate Authority (CA). If the CA is not trusted by your browser, an error may be displayed. Typical errors include "The security certificate presented by this website was not issued by a trusted certificate authority" (Internet Explorer), "The site's security certificate is not trusted!" (Google Chrome) or "This Connection is Untrusted" (Mozilla Firefox). Although the error is expected, the messages displayed can be confusing and annoying and you may wish to stop them from appearing.

To avoid these errors entirely, install the Cisco root certificate in your browser, or the browsers of your users (if you're a network admin). This can be done on a per-browser, per-machine basis for personal use or small deployments. For larger deployments, an automatic installation through Group Policy (GPO) can be done. Note that the automatic installation through GPO will only work for users with Internet Explorer, Edge, or Chrome on Windows systems. As such, if your network includes some users who use Firefox or Safari browsers, and for users on non-Windows operating systems, the manual installation procedures must be followed.

For advanced users or systems administrators with larger networks, this article also describes how to install the Cisco root certificate automatically (through Active Directory Group Policy Objects) for a group of users in Microsoft Windows Active Directory. This automatic installation of the Cisco root certificate only works for users with Internet Explorer, Edge, or Chrome on Windows systems, so if your network includes some users who use Firefox or Safari browsers, and for users on non-Windows operating systems, the manual installation procedures must be followed for those users.

Important

To perform these steps, you must be a local administrator over the computer or a network administrator over the network.

Install the Cisco Umbrella Root Certificate

Table of Contents

Automatically Install the Cisco Root certificate

As a network administrator of an Active Directory network environment, you can automatically install the root certificate in all of your users' browsers by creating a Group Policy Object (GPO) on your Active Directory server. This can be created by using either the Microsoft Management Console (MMC) or the Group Policy Management Console (GPMC).

Install the Certificate with Group Policy Using the Microsoft Management Console (MMC)

  1. Download the Cisco Umbrella root certificate: download.
  2. Log into your Active Directory server using a domain administrator account.
  3. Select Start | All Programs | Administrative Tools | Active Directory Users and Computers. The Microsoft Management Console (MMC) is displayed.
  4. To create a domain-wide policy, right-click your domain root Organizational Unit (OU), which is displayed as your domain name, and select Properties from the context menu.
  5. In the <OU_Name> Properties dialog box, click the Group Policy tab.
  6. Click New, name the policy Umbrella Certificate Installer, and press Return / Enter.
  7. Select the new Group Policy Object, click Edit. The Group Policy Object Editor is displayed.
  8. In the left configuration options sidebar, expand Computer Configuration | Windows Settings | Security Settings | Public Key Policies, right-click Trusted Root Certification Authorities, and select Import from the context menu.
  9. In the Certificate Import wizard, click Next, and in the File to Import page, click Browse and navigate to where you downloaded the certificate authority on your local system, and double-click the Cisco_Umbrella_Root_CA.cer file.
  10. With the full path to the certificate displayed in the File name field, click Next.
  11. Accept the default option, place all certificates in the following store (Trusted Root Certification Authorities), click Next, and then click Finish and OK.

You have now created the Group Policy Object to install the certificate on all the computers in your domain. The new policy may not take effect immediately on all client machines. By default, the background synchronization processing happens every 90 to 120 minutes at randomized times. Rebooting the client machines will force the synchronization.

You can check that the Group Policy has propagated to all computers in the domain by opening Internet Explorer on a workstation PC, opening Tools|Internet Options | Content | Certificates | Trusted Root Certification Authorities, and ensuring that the Cisco Umbrella root certificate is present.

Install the Certificate with Group Policy Using the Group Policy Management Console (GPMC)

The Microsoft Group Policy Management Console (GPMC) with Service Pack 1 (SP1) unifies management of Group Policy across the enterprise. The GPMC consists of an MMC snap-in and a set of programmable interfaces for managing Group Policy.

  1. Download the Cisco Umbrella root certificate: download.
  2. Log into your Active Directory server using a domain administrator account.
  3. Select Start | All Programs | Administrative Tools | Group Policy Management. The Group Policy Management Console (GPMC) appears.
  4. To create a domain-wide policy, right-click your domain root Organizational Unit (OU), which is displayed as your domain name, and select Create and Link a GPO Here from the context menu.
    The New GPO dialog box appears.
  5. In the Name field of the New GPO dialog box, enter a meaningful name for the policy object. For example, Umbrella Certificate Installer.
  6. Right-click the new Group Policy Object, Umbrella Certificate Installer, on the right side of the window, and select Edit from the context menu. The Group Policy Object Editor appears.
  7. In the left configuration options sidebar, expand Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies, right-click Trusted Root Certification Authorities, and select Import from the context menu.
  8. In the Certificate Import wizard click Next, and in the File to Import page, click Browse and navigate to where you downloaded the certificate authority on your local system, and double-click the Cisco_Umbrella_Root_CA.cer file.
  9. With the full path to the certificate displayed in the File name field, click Next.
  10. Accept the default option, Place all certificates in the following store (Trusted Root Certification Authorities), click Next, and then click Finish and OK.

You have now created the Group Policy Object to install the certificate on all the computers in your domain. The new policy may not take effect immediately on all client machines. By default, the background synchronization processing “only” happens every 90 to 120 minutes (at randomized times). Rebooting the client machines will force the synchronization.

You can check that the Group Policy has propagated to all computers in the domain by opening Internet Explorer on a workstation PC, opening Tools | Internet Options | Content | Certificates | Trusted Root Certification Authorities, and ensuring that the Cisco Umbrella root certificate is present.

Install the Certificate in Firefox Using Group Policy

By default, Group Policy cannot configure Firefox and, in general, deploying the Cisco Umbrella Root CA can be difficult for Firefox users, because there is no built-in way to centrally manage Firefox. This article describes how Firefox can be configured to trust certificates in the Windows certificate store: Configuring Firefox to use the Windows Certificate Store
This makes certificate management through group policy much easier in the long run.

Install the Certificate on Chromebooks using the Google Admin Console

Using the Google Admin console, you can deploy certificates to your Chromebooks. See Google's documentation, Set up certificates.

Install the Certificate on a Single Computer

The following procedures describe the manual methods for installing the Cisco Umbrella root certificate in Internet Explorer, Firefox, and Safari browsers on an individual computer.

Installing the Certificate in Internet Explorer, Edge, or Chrome on Windows

To manually install the Cisco Umbrella root certificate in your Internet Explorer browser, use the following procedure. Chrome uses Internet Explorer's certificate store, so the same procedure will also configure Chrome.

  1. Download the Cisco Umbrella root certificate: download.
    Note: If the Open File – Security Warning dialog appears, click Open.
  2. Click Install Certificate.
  3. In the Certificate Import wizard, click Next.
  4. In the Certificate Store window, select Place all certificates in the following store and then click Browse.
  5. In the Select Certificate Store window, select Trusted Root Certification Authorities and click OK.
    In the Certificate Store window, the Certificate store shows Trusted Root Certification Authorities.
  6. Click Next and then click Finish.
  7. In the Security Warning windows, click Yes to install the certificate.
    The Certificate Import wizard will notify you that "The import was successful."
  8. Click OK.
  9. Restart Internet Explorer.

Install the Certificate in Firefox on Windows

This procedure assumes that you, the computer administrator, have already downloaded the Cisco Umbrella root certificate and that you have sufficient access privileges to install the certificate on the local system

  1. Download the Cisco Umbrella root certificate: download.
  2. Click the Open Menu icon near the top right-hand corner of the browser window.
  3. Click Options > Advanced > Certificates > View Certificates > Authorities > Import.
  4. Browse for and select the Cisco Root Cert, downloaded in the first step.
  5. Select Trust this Certificate to identify websites, then click OK and OK again.
  6. Restart Firefox.
    The Firefox certificate store can also be manipulated from the command line using the certutil tool from the NSS Tools package. For more information, see Mozzila's Using the Certificate Database Tool.

Install the Certificate on Mac OS X (for the Safari browser, or all browsers)

To manually install the Cisco Umbrella root certificate in your Safari browser (or all browsers) on Mac OS X, use the following procedure. You must be the computer administrator to perform this action.

  1. Download the Cisco Umbrella root certificate: download.
  2. Double-click the file or drag and drop it on top of the Keychain Access icon in the Applications | Utilities folder. The Add Certificate window appears.
  3. Click Always Trust.
  4. Double-click the Cisco Umbrella root certificate to open its properties window. Change the When using this certificate pulldown to Always Trust.

Install the Certificate on Mac OS X Command line

You must be the computer administrator to perform this action.

To install the certificate on the OS X command line, download the certificate and run the following command:

sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain /path/to/Cisco_Umbrella_Root_CA.cer

Install the Certificate in Chromium or Chrome on Linux

If you want to manually install the Cisco Umbrella root certificate in a Chromium-based browser in Linux, use the following procedure.

  1. Download the Cisco Umbrella root certificate: download.
  2. Open Chromium Settings.
  3. Scroll down to HTTPS/SSL.
  4. Click Manage certificates.
  5. Click Authorities.
  6. Click Import.
  7. Select the Cisco_Umbrella_Root_CA.cer and click Open.
  8. Select Trust this CA to identify Websites.
  9. Click OK.

Download the Certificate

  1. In Umbrella, navigate to Deployments > Configuration > Root Certificate.
  2. Click Download Certificate.

Alternatively, click here to download the certificate.


Enable File Inspection < Install the Cisco Certificate > Manage Umbrella User Roles

Install the Cisco Certificate


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.