In this article
Follow this article to download and install the SSL certificate to display a Block Page on HTTPS-based websites.
This is a optional step—content will still be blocked without the certificate—however the page will load a certificate mismatch error instead of the Block Page.
Whitelabel SSL certificates
MSP sub-organizations automatically download a whitelabeled SSL certificate, which uses an alternative name in the certificate and instructions to maintain transparency of our service.
Context
Without the certificate, an SSL error message similar to the one below will be displayed when a user tries to visit a blocked website:
After installing the DNSFilter SSL root certificate, end-users will receive block pages over https://
domains:
Installing a SSL certificate is a technical requirement for all filtering providers that wish to display HTTPS notifications and remains unchanged for years.
Only deploying Roaming Clients?
Great news! Roaming Clients automatically install the SSL Certificate, making this process a little bit easier.
Install the SSL Certificate
Use these resources to install the SSL Certificate.
🚨 Important: Firefox uses its own Certificate Store, so environments that use the Firefox will need to update the browser certificate separately. Mozilla's wiki and support documentation walk through the process for Windows, macOS, and Linux environments.
Windows
- From the DNSFilter dashboard, navigate to Tools and select SSL Certificate
- Download the certificate to the Downloads folder
- Copy the command:
certutil -addstore -enterprise -f "Root" "C:\Users\%username%\Downloads\DNSFilter.cer"
- Edit
%username%
to match the current user - Run the command in an administrative prompt to complete the installation
MacOS
Use these shell commands to install the certificate:
wget -P ~/Downloads https://app.dnsfilter.com/certs/DNSFilter.cer sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain ~/Downloads/DNSFilter.cer
Linux
Run these commands in Terminal to install the certificate:
sudo mkdir /usr/local/share/ca-certificates/ sudo wget -P /usr/local/share/ca-certificates/NetAlerts.cer https://app.dnsfilter.com/certs/NetAlerts.cer sudo update-ca-certificates
Mobile Devices
Typically certificate profiles need "trusted" manually on mobile devices. See Apple and Google's documentation to approve the SSL certificate:
Bash Script
This bash script will download and install the SSL certificate to a system.
-
#!/bin/bash curl https://app.dnsfilter.com/certs/DNSFilter.cer -o /tmp/DNSFilter.cer sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain /tmp/DNSFilter.cer exit
-
#!/bin/bash curl https://app.dnsfilter.com/certs/NetAlerts.cer -o /tmp/NetAlerts.cer sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain /tmp/NetAlerts.cer exit
PowerShell
This PowerShell script will download the certificate to the temp folder, and then install it to the system and enable Firefox to use the system certificate store.
This is useful to mass deploy the certificate with RMM tools.
$url = 'https://app.dnsfilter.com/certs/DNSFilter.cer' $File = "C:\Windows\Temp\DNSFilter.cer" (New-Object System.Net.WebClient).DownloadFile($url, $file) & certutil -addstore -enterprise -f "Root" $File if(Test-Path "C:\Program Files\Mozilla Firefox\defaults\pref\") {Set-Content "C:\Program Files\Mozilla Firefox\defaults\pref\firefox-windows-truststore.js" "pref('security.enterprise_roots.enabled', true);"}
Active Directory
Follow Microsoft's documentation to complete the installation. Remember that environments that only use Roaming Clients do not need to install the root certificate separately: it's automatically installed with the agent.
Comments
0 comments
Please sign in to leave a comment.