If SIA Proxy is enabled, you need to distribute the trusted man-in-the-middle (MITM) root certificate authority (CA) certificate that you generated in SIA (Akamai certificate) to computers or TLS clients in your network.

Note: If you activated a subordinate certificate to SIA (non-Akamai certificate), certificate distribution is only necessary if the workstations in your network are not already configured with the root certificate.

Depending on the method that your organization uses to manage network devices and distribute certificates, these procedures are available for you to reference:

Distribute a certificate to Windows Servers with Group Policy

You can use the Group Policy Management console on Windows servers to distribute certificates to web servers across your network. This procedure applies to Windows Server 2016, 2012 R2, and 2012.

You need to be a domain or enterprise administrator to perform this procedure.

To distribute a certificate to Windows servers with group policy:

On the domain controller, open the Group Policy Management console.
Locate or create an existing Group Policy Object (GPO) associated with the user's domain, site, or organizational unit (OU).
Right-click the GPO and select Edit.
In the Group Policy Management Editor, click Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
Right-click the Trusted Root Certificate Authorities object type and select Import. The Welcome to the Certificate Import Wizard appears.
Click Next.
Browse or enter the location where the certificate is stored, and click Next.
Make sure Place all certificates in the following store is selected, and click Next.
Click Finish.

Distribute a certificate to Chrome devices

Complete this procedure to enable SSL inspection and distribute certificates across Chrome devices in your network.

To distribute a certificate to Chrome devices:

Add specific hostnames to exception lists in Secure Internet Access Enterprise:
1. In the Threat Protection menu of Enterprise Center, select Policies > Lists.
2. Select New Custom Exception List.
3. Add these domains to the list and click Save:
  - accounts.google.com
  - accounts.google.[*country*]
    
    where [country] is the top-level domain for the country.
  - accounts.gstatic.com
  - accounts.youtube.com
  - alt\*.gstatic.com2
  - clients1.google.com
  - clients2.google.com
  - clients3.google.com
  - clients4.google.com
  - commondatastorage.googleapis.com
  - cros-omahaproxy.appspot.com
  - dl.google.com
  - dl-ssl.google.com
  - gweb-gettingstartedguide.appspot.com
  - m.google.com
  - omahaproxy.appspot.com
  - pack.google.com
  - policies.google.com
  - safebrowsing-cache.google.com
  - safebrowsing.google.com
  - ssl.gstatic.com
  - storage.googleapis.com
  - tools.google.com
  - www.googleapis.com
  - www.gstatic.com
Import the certificate into the Google Admin Console:
1. In the Google Admin Console, click Device management.
2. In the left navigation menu, click Network.
3. Click Certificates and then click Add Certificate.
4. Upload the certificate (.pem) file.
5. Select Use this certificate as an HTTPS certificate authority.
6. Click Save and then click Done. The certificate is pushed to Chrome devices.

Next Steps

Verify that the CA for the certificate is now on Chrome devices:
1. In the browser address bar, go to chrome://settings/certificates.
2. Click Authorities.
3. Locate the CA for the certificate you added.
Verify SSL inspection works properly:
1. With a Chrome device that now contains the certificate, go to a website where SSL inspection is allowed.
2. In the address bar, click the building icon to view connection information.

Distribute the certificate to the Python requests library

Many applications written with Python do not use the operating system trust stores for certificates. As a result, you may need to distribute the proxy certificate to the Python requests library. For example, this is the case on applications or solutions like PIP, Certbot, Terraform, and more.

If you experience this error when using a Python-based application, complete the following procedure to upload the proxy certificate to the Python requests library.

...
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)'))': /simple/pip/

To distribute the proxy certificate to the Python requests library:

Download and save the certificate that you generated or set up in Enterprise Center. For instructions, see Download a Certificate.
Use certifi to identify where the existing certificate store is located on the system:
```
% python -m certifi
<path>/lib/python/site-packages/certifi/cacert.pem
```
where <path> is the location where Python is installed on the system.

📘
To learn more about certifi and how to install it, see python-certifi on GitHub.
Add the proxy certificate to this location. You can use this Bash command:
```
% cat <sia-enterprise-certificate>.pem >> 
<path>/lib/python/site-packages/certifi/cacert.pem
```
where:
- <sia-enterprise-certificate> is the proxy certificate.
- <path> is the location where Python is installed on the system.
Update the REQUESTS_CA_BUNDLE environment variable. Enter this command:

% REQUESTS_CA_BUNDLE=<path>/lib/python/site-packages/certifi/cacert.pem
Start, or quit and restart the Python-based application. For example, if you’re using PIP, you can enter this command:

% pip install --upgrade pip

Add a certificate to macOS

Perform this procedure to add the certificate to the Keychain Access application on a Mac.

To add a certificate to macOS:

Open the Keychain Access app.
If necessary, unlock the application and enter the administrative password to the computer.
In the Keychains area, click System.
Do one of these steps:
- Drag and drop the certificate from a location on your computer to the list of System keychains.
- In the application menu, click File > Import Items and select the certificate.
Navigate to the certificate and open it.
In the certificate, click the arrow next to Trust.
In the Trust settings, select Always Trust for each option.

Enable enterprise trusted root certificates in Firefox

In the latest versions of Firefox, you can enable Firefox to recognize the trusted root certificates that are in the Windows certificate store of your enterprise. This operation is supported on Windows with Firefox 49 and later. This procedure is not supported on Mac.

To enable enterprise trust root certificates in Firefox:

In the Firefox address bar, go to about:config
Accept the warning message that appears.
In the preference search field, enter this name for the setting:

security.enterprise_roots.enabled
Click the toggle button to set this preference to true.

Enable enterprise trusted root certificates across a network

Before you begin

Create a preference setting that enables trusted root certificates in an instance of Firefox. See Enable enterprise trusted root certificates in Firefox.

To enable trusted root certificates across your network, you can modify the security.enterprise_root setting and lock this setting. You can then distribute this preference setting with Windows Group Policy.

This procedure assumes that Firefox is installed in the default location on Windows. To modify the group policy, you need to be a domain or enterprise administrator.

To enable enterprise trusted root certificates across a network:

Create the configuration file that locks the preference setting to trust the certificates that are in the Windows certificate store:
1. Create a text file with this content:
```
//
 lockPref("security.enterprise_roots.enabled", true);
```
1. Save the file as mozilla.cfg and make sure it is ANSI encoded.
Create a JavaScript file that calls the new configuration file:
1. Create a local-setting.js file with this content:
```
pref("general.config.obscure_value", 0);
pref("general.config.filename", "mozilla.cfg");
```
1. Save the file as an ANSI encoded file.
Copy the mozilla.cfg and local-settings.js file to a network shared folder.
Distribute these files with Group Policy:
1. On the domain controller, open the Group Policy Management console.
2. Locate or create an existing GPO associated with the domain, site, or OU associated with the user.
3. Right-click the GPO and select Edit.
4. In the Group Policy Management Editor, click Computer Configuration > Policies > Windows Settings > Files.
5. Right-click in the files area and select New > File.
6. For the Source File(s), browse to the mozilla.cfg file in the network shared folder.
7. For the Destination File, enter the default location where Firefox is installed. The path varies depending on Windows version:
  - On Windows 32-bit OS, specify C:\Program Files\Mozilla Firefox\mozilla.cfg
  - On Windows 64-bit OS, specify C:\Program Files (x86)\Mozilla Firefox\mozilla.cfg
8. Repeat steps 4e and 4f for the local-settings.js file.
9. For the Destination File, enter this location depending on Windows version:
  - On a Windows 32-bit OS, specify C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js
  - On a Windows 64-bit OS, specify C:\Program Files (x86)\Mozilla Firefox\defaults\pref\local-settings.js
10. Click OK.

Import a certificate into a Chrome instance

Complete this procedure to import a certificate to an instance of Chrome on a single user's machine.

To import a certificate into a Chrome instance:

In the browser address bar, go to chrome://settings/.
In the menu, select Privacy and security.
Under Privacy and security, click Security.
Under Security, click Manage certificates.
In the certificates dialog, click the Trusted Root Certification Authorities tab.
Click Import. The Certificate Import Wizard appears.
Click Next.
Browse to the certificate. Make sure you show All Files to find the certificate.
After finding the certificate, click Next.
Click Next until the import is complete.
In the certificate, confirm the certificate information.

Next steps

After the certificate is activated in SIA, confirm that the certificate is used when navigating to a URL.

Click the information icon in the browser address bar and click Certificate.
After reviewing the general information such as the issuer and associated dates, click Details to view more information.

Import a certificate into a Firefox instance

Complete this procedure to import a certificate to an instance of Firefox on a single user's machine.

To import a certificate into a Firefox instance:

In the address bar, enter about:preferences.
Click Privacy & Security.
Go to the Certificates settings.
Click View Certificates.
Click Authorities and click Import.
Locate and select the file for import.
In the Downloading Certificate dialog, verify the trust options and click OK. The certificate is listed under Authorities.

Next steps

After the certificate is activated in SIA, confirm that the certificate is used when navigating to a URL.

Click the information icon in the browser address bar and click More information.
After reviewing the general information such as the issuer and associated dates, click Details to view more information.

Import a certificate into an Internet Explorer instance

Complete this procedure to import a certificate to an instance of Internet Explorer (IE) on a single user's machine. This procedure applies to IE 11.

To import a certificate into an IE instance:

In IE, go to Internet options:
1. In the main menu, select Tools > Internet options.
2. Click the gear icon and select Internet options.
In the dialog, click the Content tab.
Click Certificates.
Click the Trusted Root Certificate Authorities tab.
Click Import.
Click Next.
Browse or type the location where the certificate is stored, and click Next
Make sure that Place all certificates in the following store is selected, and click Next.
Click Finish.

Next steps

Open the certificate and confirm information such as the issuer and expiration date is correct.
After the certificate is activated in SIA, confirm the certificate is used when navigating to a URL:
1. Right-click the webpage and select Properties.
2. In the Properties dialog, click Certificates.
3. View general information such as the issuer and associated dates. Click Details to view more information.

Import a certificate to the Java KeyStore

Before you begin:
Download the SIA Proxy certificate in .der format from Enterprise Center. For instructions, see Download a certificate. To generate a certificate for SIA Proxy, see Create an SIA Proxy MITM certificate.

If your organization deployed ETP Client and also uses Java-based applications, you need to import the SIA Proxy certificate to your Java KeyStore.

To add the SIA Proxy certificate to the Java KeyStore:

Open a command prompt or a terminal. If you are opening a command prompt, make sure you run it as an administrator.
Change the directory to the Java KeyStore.
- On Windows:
  
  cd <JAVA_HOME>\bin
- On Mac:
  
  cd <JAVA_HOME>/bin
where <JAVA_HOME> is your Java environment variable or where Java is installed on the device.
Depending on the operating system, enter this command to import the certificate to the keystore:
- On Windows:
  
  keytool.exe -import -file "<certifcate_filename>.der" -keystore "<JAVA_HOME>\lib\security\cacerts>" -alias "Akamai Certificate"
- On Mac:
  
  sudo keytool -import -file "<certifcate_filename>.der" -keystore "<JAVA_HOME>/lib/security/cacerts>" -alias "Akamai Certificate"
where:
- <JAVA_HOME> is your Java environment variable or where Java is installed on the device.
- <certificate_filename> is the filename of the certificate.
When prompted for the password, enter changeit.
Enter yes to confirm that you trust the certificate.