Skip to content

Install Root CA Certificate

After you have generated or imported the Root CA certificate and private key it is time to install it into Trusted Root Certification authority storage. There are several ways to do that.

Please note that here we assume that the browsers in your LAN are managed - thus you as administrator are legally allowed to inspect the HTTPS traffic. This is important because inspecting HTTPS traffic may require performing some legal steps in some countries so be sure you understand what you are doing before continuing.

Manual Installation

To manually install the newly generated Root CA certificate as trusted into certificate storage on Microsoft Windows, copy the C:\ProgramData\Diladele\WebProxy\N.N\etc\myca.der file into the machine where you need to install the Root CA, double click on it and follow the steps indicated on the following screenshots.

Manually Installing Root CA

Note the certificate is not yet trusted and click on the Install Certificate button. A standard Certificate Import Wizard of Microsoft Windows will be started. Select the Local Machine storage and click Next.

Manually Installing Root CA

Place the certificate to be installed into Trusted Root Certification Authority store and click Next and then Finish.

Manually Installing Root CA

There should be a message of the successful import and again clicking on the myca.der shall reflect its trusted status.

Manually Installing Root CA

More information on the installation of the certificate and how to install it into Mozilla Firefox or other operating systems can be found in the Web Safety Admin Guide.

Automatic Installation using Group Policy

To automatically install the newly generated Root CA certificate as trusted into certificate storage of Microsoft Windows using Group Policy, copy the C:\ProgramData\Diladele\WebProxy\N.N\etc\myca.der file into your Domain Controller and start the Group Policy Management addin.

Group Policy MMC

In Group Policy Management, expand Forest / Domains / Your domain / Group Policy Objects / Default Domain Policy. Right click on it and choose Edit as shown on the following screenshot.

Group Policy Editing

In Group Policy Management editor addin, select Policies / Window Settings / Security Settings / Public Key Policies / Trusted Root Certification Authorities, right click on the right pane and select Import as shown on the following screenshot.

Trusted Root Certification Authorities

A certificate import wizard appears. Click it through, selecting the certificate you downloaded previously and ensuring the certificate goes to Trusted Root Certification Authorities store.

Certificate Import Wizard Step 1

Note: the myca.der certificate has a DER file extension and not CER as usual, but that is absolutely fine and does not matter for the system, just do not forget to select Show All Files in file browsing dialog when uploading.

Certificate Import Wizard Step 2

The certificate will be added to Trusted Root Certification Authorities store automatically.

Certificate Import Wizard Step 3

After certificate import wizard finishes you will see your certificate in the list.

Certificate Import Wizard Final Step

The domain policy shall be applied to your domain-joined computers after reboot (logoff/logon). To ensure it is indeed applied you might need to run gpupdate /force command on every desktop.

No Installation Required in Active Directory

If you have generated Trusted Root CA as intermediate authority and signed it using Microsoft Active Directory Certification services, no installation at all is needed on the client computers. The client computers already trust the Root CA of your Active Directory, so they will automatically trust the certificates signed by your Intermediate CA imported into Web Filtering Proxy. This is the most convenient method for large network deployments.

This article at Web Safety admin guide describes the intermediate certificate generation in this case.