Installing SSL Certificates

Article author
Josh Lamb
  • Updated

Installation of the DNSFilter SSL Root certificate is optional. It is utilized to display block page messages when users attempt to visit https:// websites that are blocked in your Policy. Without certificate installation, the user will receive an error in their browser when attempting to visit blocked sites. (This is because of how HTTPS operates, and is why SSL certificates are a technical requirement for any filtering provider)

  Without Certificate With Certificate
User tries to visit http://badsite.com User is prevented and receives block notification. User is prevented and receives block notification.
User tries to visit https://badsite.com User is prevented and receives browser error. User is prevented and receives block notification.

Without the certificate, an SSL error message similar to the one below will be displayed when a user tries to visit a blocked website:

4a0e494-file-VMRN3uPt5v.png__792_472__2021-05-24_17-02-19.png

After installing the DNSFilter SSL root certificate, you will be able to receive block pages over https:// domains, such as the one below:

e52c7d2-win10_Baseline_Running_2018-10-03_14-25-34.png__692_560__2021-05-24_17-20-00.png

Installing on Windows

In order to install the SSL root certificate on Windows, first download the DNSFilter Certificate. (If you are a Managed Services Provider, you have a separate certificate file which you can download from the Tools section of the dashboard.)

Assuming that the certificate was downloaded into the current user’s Download folder, you can run the following command in an administrative prompt to install it into the certificate store:

certutil -addstore -enterprise -f "Root" "C:\Users\%username%\Downloads\DNSFilter.cer"

firefox

The Firefox browser utilizes it’s own certificate store by default. The best way to install for Firefox is simply to link it to the Windows Trust Store.

This can be done one of two ways:

  1. Navigate to about:config in Firefox and set security.enterprise_roots.enabled to true
  2. Running the following command in an administrative command prompt. (Credit to Thomas Leister) ECHO pref("security.enterprise_roots.enabled", true); > "C:\Program Files\Mozilla Firefox\defaults\pref\firefox-windows-truststore.js"

Deploy with PowerShell

The following PowerShell script will download the certificate to the temp folder, and then install it to the system and enable Firefox to use the system certificate store. This is mostly for MSP's who need to mass deploy the certificate with their RMM tool.

$url = 'https://app.dnsfilter.com/certs/DNSFilter.cer'

$File = "C:\Windows\Temp\DNSFilter.cer"

(New-Object System.Net.WebClient).DownloadFile($url, $file)

& certutil -addstore -enterprise -f "Root" $File

if(Test-Path "C:\Program Files\Mozilla Firefox\defaults\pref\") {Set-Content "C:\Program Files\Mozilla Firefox\defaults\pref\firefox-windows-truststore.js" "pref('security.enterprise_roots.enabled', true);"}

Deploying with Active Directory

SSL Certificates are installed automatically if you are using the Windows Roaming Client.

Organizations that utilize Active Directory can use Group Policy to push the DNSFilter root certificate across their infrastructure. Setup for this takes only a few minutes, and is illustrated in this clip and documented below. (Keep in mind your Group Policy OU may be different)

Managed Services Providers (MSPs) have a different certificate file but the install procedure is the same

The steps to install the DNSFilter SSL certificate on Active Directory are: 1. On a domain controller in the forest of the account partner organization, start the Group Policy Management snap-in. 2. Find an existing Group Policy Object (GPO) or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit (OU) where the appropriate user and computer accounts reside. 3. Right-click the GPO, and then click Edit. 4. In the console tree, open Computer ConfigurationSettingsSettingsKey Policies, right-click Trusted Root Certification Authorities, and then click Import. 5. On the Welcome to the Certificate Import Wizard page, click Next. 6. On the File to Import page, type the path to the appropriate certificate files (for example, \fs1\c$1.cer), and then click Next. 7. On the Certificate Store page, click Place all certificates in the following store, and then click Next. 8. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish. 9. Repeat steps 2 through 6 to add additional certificates for each of the federation servers in the farm.

  1. On a domain controller in the forest of the account partner organization, start the Group Policy Management snap-in.
  2. Find an existing Group Policy Object (GPO) or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit (OU) where the appropriate user and computer accounts reside.
  3. Right-click the GPO, and then click Edit.
  4. In the console tree, open Computer ConfigurationSettingsSettingsKey Policies, right-click Trusted Root Certification Authorities, and then click Import.
  5. On the Welcome to the Certificate Import Wizard page, click Next.
  6. On the File to Import page, type the path to the appropriate certificate files (for example, \fs1\c$1.cer), and then click Next.
  7. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
  8. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.
  9. Repeat steps 2 through 6 to add additional certificates for each of the federation servers in the farm.

(this was taken from a relevant Microsoft article)

Installing on MacOS

The SSL certificate can be installed on MacOS via the shell commands listed below. (If you are a Managed Services Provider, you have a separate certificate file which you can download from the Tools section of the dashboard.)

wget -P ~/Downloads https://app.dnsfilter.com/certs/DNSFilter.cer
sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain ~/Downloads/DNSFilter.cer

Installing on iOS

In order to install the SSL root certificate, you’ll be required to have a passcode on the device.

  1. Download the certificate file. Tap on the file and there will be a prompt to install the certificate.
  2. Turn on trust for SSL by navigating to Settings -> General -> About -> Certificate Trust Settings. Under “Enable full trust for root certificates,” turn on trust for the certificate. Apple instructions are here.

Installing on Android

The instructions provided below are from from Google

  1. Open your device’s Settings app
  2. Tap Security & location and then Advanced and then Encryption & credentials.
  3. Under “Credential storage,” tap Install from storage.
  4. In the top left, tap the hamburger icon
  5. Under “Open from,” tap where you saved the certificate.
  6. Tap the file. (If needed, enter the key store password. Tap OK.)
  7. Type a name for the certificate.
  8. Pick VPN and apps or Wi-Fi.
  9. Tap OK.

We recommend looking at the Roaming Clients sections if you wish to deploy protection on your roaming/off-site devices. It is also highly encouraged that you view the Preventing Circumvention article, in order to prevent users from bypassing your content filter.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.