In this article
Follow this article to download and install the SSL certificate to display a Block Page on HTTPS-based websites.
This is an optional step—content will still be blocked without the certificate—however the page will load a certificate mismatch error instead of the Block Page.
Whitelabel SSL certificates
MSP sub-organizations automatically download a whitelabeled SSL certificate, which uses an alternative name in the certificate and instructions to maintain transparency of our service.
Context
Without the certificate, an SSL error message similar to the one below will be displayed when a user tries to visit a blocked website:
After installing the DNSFilter SSL root certificate, end-users will receive block pages over https:// domains:
Installing a SSL certificate is a technical requirement for all filtering providers that wish to display HTTPS notifications and remains unchanged for years.
Only deploying Roaming Clients?
Great news! Roaming Clients automatically install the SSL Certificate, making this process a little bit easier.
Install the SSL Certificate
Use these resources to install the SSL Certificate.
🚨 Important: Firefox uses its own Certificate Store, so environments that use the Firefox will need to update the browser certificate separately. Mozilla's wiki and support documentation walk through the process for Windows, macOS, and Linux environments.
Windows
- Download the certificate to the Downloads folder
- Copy the command:
-
certutil -addstore -enterprise -f "Root" "C:\Users\%username%\Downloads\DNSFilter.cer"
-
certutil -addstore -enterprise -f "Root" "C:\Users\%username%\Downloads\NetAlerts.cer"
-
- Edit
%username%to match the current user - Run the command in an administrative prompt to complete the installation
Active Directory via Group Policy Object (GPO)
- Download the Windows certificate to the Downloads folder
- Open Windows Server Manager and navigate to Group Policy Management
- Select the Organizational Units (OUs) to apply the policy
- Right click and select Create a new GPO and link it to the OU
- Name the GPO
-
Edit the GPO:
- Select Policies
- Select Windows Settings
- Select Security Settings
- Select Public Key Policies
- Select Trusted Root Certificate Authorities
- Right click and select Import
- Click through the dialogs to the option to select a file
- Import the DNSFilter certificate
macOS
- Download the certificate to the Downloads folder
- Copy the command into Terminal.app to complete the installation (requires admin "sudo" password):
-
sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain ~/Downloads/DNSFilter.cer
-
sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain ~/Downloads/NetAlerts.cer
-
This bash script will also download and install the SSL certificate to a macOS system:
-
#!/bin/bash curl https://app.dnsfilter.com/certs/DNSFilter.cer -o /tmp/DNSFilter.cer sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain /tmp/DNSFilter.cer
-
#!/bin/bash curl https://app.dnsfilter.com/certs/NetAlerts.cer -o /tmp/NetAlerts.cer sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain /tmp/NetAlerts.cer
Linux
Run these commands in Terminal to install the certificate:
-
sudo mkdir /usr/local/share/ca-certificates/ sudo wget -P /usr/local/share/ca-certificates/DNSFilter.cer https://app.dnsfilter.com/certs/DNSFilter.cer sudo update-ca-certificates
-
sudo mkdir /usr/local/share/ca-certificates/ sudo wget -P /usr/local/share/ca-certificates/NetAlerts.cer https://app.dnsfilter.com/certs/NetAlerts.cer sudo update-ca-certificates
Mobile Devices
Typically certificate profiles need "trusted" manually on mobile devices. See Apple and Google's documentation to approve the SSL certificate:
PowerShell
This PowerShell script will download the certificate to the temp folder, and then install it to the system and enable Firefox to use the system certificate store.
This is useful to mass deploy the certificate with RMM tools.
-
$url = 'https://app.dnsfilter.com/certs/DNSFilter.cer' $File = "C:\Windows\Temp\DNSFilter.cer" (New-Object System.Net.WebClient).DownloadFile($url, $file) & certutil -addstore -enterprise -f "Root" $File if(Test-Path "C:\Program Files\Mozilla Firefox\defaults\pref\") {Set-Content "C:\Program Files\Mozilla Firefox\defaults\pref\firefox-windows-truststore.js" "pref('security.enterprise_roots.enabled', true);"} -
$url = 'https://app.dnsfilter.com/certs/NetAlerts.cer' $File = "C:\Windows\Temp\NetAlerts.cer" (New-Object System.Net.WebClient).DownloadFile($url, $file) & certutil -addstore -enterprise -f "Root" $File if(Test-Path "C:\Program Files\Mozilla Firefox\defaults\pref\") {Set-Content "C:\Program Files\Mozilla Firefox\defaults\pref\firefox-windows-truststore.js" "pref('security.enterprise_roots.enabled', true);"}
Comments
7 comments
What is the reason for having different Certificates for Linux, MacOS and Windows?
Hi Jonathan Bullock, great question! The need for different SSL certificates across Linux, Windows, and macOS often comes down to how each OS manages its trust store. Windows, macOS, and Linux each have their own way of handling root and intermediate certificate authorities, which can lead to compatibility issues if a certificate isn't recognized in one environment.
Additionally, the process of installing and distributing certificates varies—for instance Windows supports automated deployment via Group Policy, while macOS requires profiles or manual installation, and Linux depends on different system stores. Plus, some browsers (like Firefox) don’t always use the OS trust store, adding another layer of complexity.
Let us know if this isn't quite what you're asking and happy to provide more detail!
Thank you for your response regarding the SSL certificates for different operating systems. While I understand that each OS manages its trust store differently, I'm concerned about the complexity this introduces for our users.
It seems unnecessary and cumbersome to require separate certificates for Linux, macOS, and Windows, especially when the underlying certificate content remains the same. The variation in installation processes across these platforms is understandable, but having different certificates adds an extra layer of confusion and potential for errors.
I strongly feel that we should consolidate these certificates into a single, unified SSL certificate that can be used across all platforms. This would greatly simplify the deployment process and reduce the risk of compatibility issues. It would also make our product more user-friendly and easier to manage, which is crucial for our customers.
Could you please take this feedback into consideration and explore the possibility of implementing a unified SSL certificate solution?
Thank you for your attention to this matter.
Best regards, Jonathan
For clarification. Were you referring to server side management or client side?
Hi Jonathan Bullock , I see you also opened a ticket on this topic. Our Support team will continue to work with you on the request from this point, and feel free to submit product feedback and feature requests in Canny!
By chance could not having the certificate installed cause company websites not to fully load?
Hi Sherese Woodfine , thanks for reaching out! Not having the SSL certificate installed typically won’t cause company websites to partially load—it mainly affects how our block pages are displayed for HTTPS sites.
If a website isn’t loading fully, it’s more likely that:
Let us know if this helps!
Please sign in to leave a comment.