Guides
ProductDeveloper
Guides

Install the Cisco Umbrella Root Certificate

Advanced Cisco Umbrella features, such as SSL Decryption through the intelligent proxy and the ability to block your own custom URLs require that you install the Cisco Umbrella root certificate. Other features, such as File Inspection, gain greater efficacy from having the certificate present as Umbrella is able to proxy and block more traffic.

Table of Contents

Prerequisites

  • You must be a local administrator over the computer or a network administrator over the network.

Automatically Install the Cisco Umbrella Root Certificate (For an Active Directory Network)

As a network administrator of an Active Directory network environment, you can automatically install the Cisco Umbrella root certificate in all of your users' browsers by creating a Group Policy Object (GPO) on your Active Directory server. This can be created by using either the Microsoft Management Console (MMC) or the Group Policy Management Console (GPMC).

Install the Cisco Umbrella Root Certificate with Group Policy Using the Microsoft Management Console (MMC)

  1. Navigate to Deployments > Configuration > Root Certificate and click Download Certificate. Alternatively, download the root certificate here.
1016
  1. Log into your Active Directory server using a domain administrator account.
  2. Select Start > All Programs > Administrative Tools > Active Directory Users and Computers. The Microsoft Management Console (MMC) is displayed.
  3. To create a domain-wide policy, right-click your domain root Organizational Unit (OU), which is displayed as your domain name, and select Properties from the context menu.
  4. In the <OU_Name> Properties dialog box, click the Group Policy tab.
  5. Click New, name the policy Umbrella Certificate Installer, and press Return / Enter.
  6. Select the new Group Policy Object and click Edit. The Group Policy Object Editor is displayed.
  7. In the configuration options sidebar, expand Computer Configuration > Windows Settings > Security Settings > Public Key Policies, right-click Trusted Root Certification Authorities, and select Import.
  8. In the Certificate Import wizard, click Next, and in the File to Import page, click Browse. Navigate to where you downloaded the certificate authority on your local system, and double-click the Cisco_Umbrella_Root_CA.cer file.
  9. With the full path to the certificate displayed in the File name field, click Next.
  10. Accept the default option, place all certificates in the following store (Trusted Root Certification Authorities), click Next, and then click Finish and OK.

You have now created the Group Policy Object to install the Cisco Umbrella root certificate on all of the computers in your domain. The new policy may not take effect immediately on all client machines. By default, the background synchronization processing happens every 90 to 120 minutes at randomized times. Rebooting client machines forces the synchronization.

You can check that the Group Policy has propagated to all computers in the domain by opening your browser on a workstation, opening Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities, and ensuring that the Cisco Umbrella root certificate is present.

Install the Cisco Umbrella Root Certificate with Group Policy Using the Group Policy Management Console (GPMC)

The Microsoft Group Policy Management Console (GPMC) with Service Pack 1 (SP1) unifies the management of Group Policy across the enterprise. The GPMC consists of an MMC snap-in and a set of programmable interfaces for managing Group Policy.

  1. Navigate to Deployments > Configuration > Root Certificate and click Download Certificate. Alternatively, download the root certificate here.
1016
  1. Log into your Active Directory server using a domain administrator account.
  2. Select Start > All Programs > Administrative Tools > Group Policy Management. The Group Policy Management Console (GPMC) appears.
  3. To create a domain-wide policy, right-click your domain root Organizational Unit (OU), which is displayed as your domain name, and select Create and Link a GPO Here from the context menu.
    The New GPO dialog box appears.
  4. In the Name field of the New GPO dialog box, enter a meaningful name for the policy object.
  5. Right-click the new Group Policy Object, Umbrella Certificate Installer, on the right side of the window, and select Edit from the context menu. The Group Policy Object Editor appears.
  6. In the left configuration options sidebar, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies, right-click Trusted Root Certification Authorities, and select Import from the context menu.
  7. In the Certificate Import wizard click Next, and in the File to Import page, click Browse and navigate to where you downloaded the certificate authority on your local system, and double-click the Cisco_Umbrella_Root_CA.cer file.
  8. With the full path to the certificate displayed in the File name field, click Next.
  9. Accept the default option, Place all certificates in the following store (Trusted Root Certification Authorities), click Next, and then click Finish and OK.

You have now created the Group Policy Object to install the Cisco Umbrella root certificate on all of the computers in your domain. The new policy may not take effect immediately on all client machines. By default, the background synchronization processing “only” happens every 90 to 120 minutes (at randomized times). Rebooting client machines forces the synchronization.

You can check that the Group Policy has propagated to all computers in the domain by opening your browser on a workstation, opening Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities, and ensuring that the Cisco Umbrella root certificate is present.

Install the Cisco Umbrella Root Certificate in Firefox Using Group Policy

By default, Group Policy cannot configure Firefox and, in general, deploying the Cisco Umbrella root certificate can be difficult for Firefox users because there is no built-in way to centrally manage Firefox. For information on how Firefox can be configured to trust certificates in the Windows certificate store, see Configuring Firefox to use the Windows Certificate Store.

This makes certificate management through group policy much easier in the long run.

Install the Cisco Umbrella Root Certificate on Chromebooks Using the Google Admin Console

Using the Google Admin console, you can deploy certificates to your Chromebooks. For more information, see Set up certificates.

Manually Install the Cisco Umbrella Root Certificate (Single Computer)

Install the Cisco Umbrella Root Certificate in Edge or Chrome on Windows

  1. Navigate to Deployments > Configuration > Root Certificate and click Download Certificate. Alternatively, download the root certificate here.
1016
  1. Click Install Certificate.
  2. In the Certificate Import wizard, click Next.
  3. In the Certificate Store window, select Place all certificates in the following store and then click Browse.
  4. In the Select Certificate Store window, select Trusted Root Certification Authorities and click OK.
    In the Certificate Store window, the Certificate store shows Trusted Root Certification Authorities.
  5. Click Next and then click Finish.
  6. In the Security Warning windows, click Yes to install the certificate.
    The Certificate Import wizard will notify you that "The import was successful."
  7. Click OK.
  8. Restart browser.

Install the Cisco Umbrella Root Certificate in Firefox on Windows

  1. Navigate to Deployments > Configuration > Root Certificate and click Download Certificate. Alternatively, download the root certificate here.
1016
  1. Click the Open Menu icon near the top right-hand corner of the browser window.
  2. Click Options > Advanced > Certificates > View Certificates > Authorities > Import.
  3. Browse for and select the Cisco Root Cert, downloaded in the first step.
  4. Select Trust this Certificate to identify websites, then click OK and OK again.
  5. Restart Firefox.
    The Firefox certificate store can also be manipulated from the command line using the certutil tool from the NSS Tools package. For more information, see Using the Certificate Database Tool.

Install the Cisco Umbrella Root Certificate in All Browsers on Mac OS X

  1. Navigate to Deployments > Configuration > Root Certificate and click Download Certificate. Alternatively, download the root certificate here.
1016
  1. Double-click the file or drag and drop it on top of the Keychain Access icon in the Applications | Utilities folder. The Add Certificate window appears.
  2. Click Always Trust.
  3. Double-click the Cisco Umbrella root certificate to open its properties window. From the When using this certificate drop-down menu, choose Always Trust.
495

Install the Cisco Umbrella Root Certificate on Mac OS X Through the Command Line

  1. Navigate to Deployments > Configuration > Root Certificate and click Download Certificate. Alternatively, download the root certificate here.
1016
  1. Run the following command:
sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain /path/to/Cisco_Umbrella_Root_CA.cer

Install the Cisco Umbrella Root Certificate in Chromium or Chrome on Linux

  1. Navigate to Deployments > Configuration > Root Certificate and click Download Certificate. Alternatively, download the root certificate here.
1016
  1. Open Chromium Settings.
  2. Scroll to HTTPS/SSL.
  3. Click Manage certificates.
  4. Click Authorities.
  5. Click Import.
  6. Select the Cisco_Umbrella_Root_CA.cer file and click Open.
  7. Select Trust this CA to identify Websites.
  8. Click OK.

Manage the Cisco Umbrella Root Certificate < Install the Cisco Umbrella Root Certificate > View Cisco Trusted Root Store