A root certificate is required in any circumstance where Umbrella must proxy and decrypt HTTPS traffic intended for a website. It is required for Block Pages and HTTPS Inspection. For Block Pages, if you visit a blocked domain through HTTPS, a certificate must be installed so that Umbrella presents a block page rather than a browser error. For HTTPS Inspection, if a domain is proxied, a certificate must be installed so that Umbrella can decrypt HTTPS traffic without the browser presenting an error. For identities that are configured to use a DNS policy, this must be the Cisco Umbrella root certificate. For identities that are configured to use the Web policy, this can be either the Cisco Umbrella root certificate or your own CA signed root certificate.
For procedures, see:
Certificate installation can be done on a per-browser or per-machine basis. For larger deployments, you can perform an automatic installation through Group Policy Objects (GPO). Note that the automatic installation through GPO is only supported for the Edge or Chrome browsers on Windows systems. As such, for Firefox or Safari browsers, and for users on non-Windows operating systems, you must perform the manual installation procedure.
You can also install a certificate automatically—through Active Directory Group Policy Objects—for a group of users in Microsoft Windows Active Directory. This automatic installation of a certificate is only supported for Edge or Chrome browsers on Windows systems. For all other browsers and systems, you must perform the manual installation procedure.
Updated about a month ago