Distribute the ETP Proxy certificate

If ETP Proxy is enabled, you need to distribute the trusted man-in-the-middle (MITM) root certificate authority (CA) certificate that you generated in ETP (‚ÄčAkamai‚Äč certificate) to computers or TLS clients in your network.

Note: If you activated a subordinate certificate to ETP (non-‚ÄčAkamai‚Äč certificate), certificate distribution is only necessary if the workstations in your network are not already configured with the root certificate.

Depending on the method that your organization uses to manage network devices and distribute certificates, these procedures are available for you to reference:

Distribute a certificate to Windows Servers with Group Policy

You can use the Group Policy Management console on Windows servers to distribute certificates to web servers across your network. This procedure applies to Windows Server 2016, 2012 R2, and 2012.

You need to be a domain or enterprise administrator to perform this procedure.

To distribute a certificate to Windows servers with group policy:

  1. On the domain controller, open the Group Policy Management console.

  2. Locate or create an existing Group Policy Object (GPO) associated with the user's domain, site, or organizational unit (OU).

  3. Right-click the GPO and select Edit.

  4. In the Group Policy Management Editor, click Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

  5. Right-click the Trusted Root Certificate Authorities object type and select Import. The Welcome to the Certificate Import Wizard appears.

  6. Click Next.

  7. Browse or enter the location where the certificate is stored, and click Next.

  8. Make sure Place all certificates in the following store is selected, and click Next.

  9. Click Finish.

Distribute a certificate to Chrome devices

Complete this procedure to enable SSL inspection and distribute certificates across Chrome devices in your network.

To distribute a certificate to Chrome devices:

  1. Add specific hostnames to exception lists in ‚ÄčEnterprise Threat Protector‚Äč:

    1. In the Threat Protection menu of Enterprise Center, select Policies > Lists.

    2. Select New Custom Exception List.

    3. Add these domains to the list and click Save:

      • accounts.google.com

      • accounts.google.[country]

        where [country] is the top-level domain for the country.

      • accounts.gstatic.com

      • accounts.youtube.com

      • alt*.gstatic.com2

      • clients1.google.com

      • clients2.google.com

      • clients3.google.com

      • clients4.google.com

      • commondatastorage.googleapis.com

      • cros-omahaproxy.appspot.com

      • dl.google.com

      • dl-ssl.google.com

      • gweb-gettingstartedguide.appspot.com

      • m.google.com

      • omahaproxy.appspot.com

      • pack.google.com

      • policies.google.com

      • safebrowsing-cache.google.com

      • safebrowsing.google.com

      • ssl.gstatic.com

      • storage.googleapis.com

      • tools.google.com

      • www.googleapis.com

      • www.gstatic.com

  2. Import the certificate into the Google Admin Console:

    1. In the Google Admin Console, click Device management.

    2. In the left navigation menu, click Network.

    3. Click Certificates and then click Add Certificate.

    4. Upload the certificate (.pem) file.

    5. Select Use this certificate as an HTTPS certificate authority.

    6. Click Save and then click Done. The certificate is pushed to Chrome devices.

Next Steps

  1. Verify that the CA for the certificate is now on Chrome devices:

    1. In the browser address bar, go to chrome://settings/certificates.

    2. Click Authorities.

    3. Locate the CA for the certificate you added.

  2. Verify SSL inspection works properly:

    1. With a Chrome device that now contains the certificate, go to a website where SSL inspection is allowed.

    2. In the address bar, click the building icon to view connection information.

Add a certificate to macOS

Perform this procedure to add the certificate to the Keychain Access application on a Mac.

To add a certificate to macOS:

  1. Open the Keychain Access app.

  2. If necessary, unlock the application and enter the administrative password to the computer.

  3. In the Keychains area, click System.

  4. Do one of these steps:

    • Drag and drop the certificate from a location on your computer to the list of System keychains.

    • In the application menu, click File > Import Items and select the certificate.

  5. Navigate to the certificate and open it.

  6. In the certificate, click the arrow next to Trust.

  7. In the Trust settings, select Always Trust for each option.

Enable enterprise trusted root certificates in Firefox

In the latest versions of Firefox, you can enable Firefox to recognize the trusted root certificates that are in the Windows certificate store of your enterprise. This operation is supported on Windows with Firefox 49 and later. This procedure is not supported on Mac.

To enable enterprise trust root certificates in Firefox:

  1. In the Firefox address bar, go to about:config

  2. Accept the warning message that appears.

  3. In the preference search field, enter this name for the setting:

    security.enterprise_roots.enabled

  4. Click the toggle button to set this preference to true.

Enable enterprise trusted root certificates across a network

Before you begin

Create a preference setting that enables trusted root certificates in an instance of Firefox. See Enable enterprise trusted root certificates in Firefox.

To enable trusted root certificates across your network, you can modify the security.enterprise_root setting and lock this setting. You can then distribute this preference setting with Windows Group Policy.

This procedure assumes that Firefox is installed in the default location on Windows. To modify the group policy, you need to be a domain or enterprise administrator.

To enable enterprise trusted root certificates across a network:

  1. Create the configuration file that locks the preference setting to trust the certificates that are in the Windows certificate store:

    1. Create a text file with this content:
    //
     lockPref("security.enterprise_roots.enabled", true);
    
    1. Save the file as mozilla.cfg and make sure it is ANSI encoded.
  2. Create a JavaScript file that calls the new configuration file:

    1. Create a local-setting.js file with this content:
    pref("general.config.obscure_value", 0);
    pref("general.config.filename", "mozilla.cfg");
    
    1. Save the file as an ANSI encoded file.
  3. Copy the mozilla.cfg and local-settings.js file to a network shared folder.

  4. Distribute these files with Group Policy:

    1. On the domain controller, open the Group Policy Management console.

    2. Locate or create an existing GPO associated with the domain, site, or OU associated with the user.

    3. Right-click the GPO and select Edit.

    4. In the Group Policy Management Editor, click Computer Configuration > Policies > Windows Settings > Files.

    5. Right-click in the files area and select New > File.

    6. For the Source File(s), browse to the mozilla.cfg file in the network shared folder.

    7. For the Destination File, enter the default location where Firefox is installed. The path varies depending on Windows version:

      • On Windows 32-bit OS, specify C:\Program Files\Mozilla Firefox\mozilla.cfg

      • On Windows 64-bit OS, specify C:\Program Files (x86)\Mozilla Firefox\mozilla.cfg

    8. Repeat steps 4e and 4f for the local-settings.js file.

    9. For the Destination File, enter this location depending on Windows version:

      • On a Windows 32-bit OS, specify C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js

      • On a Windows 64-bit OS, specify C:\Program Files (x86)\Mozilla Firefox\defaults\pref\local-settings.js

    10. Click OK.

Import a certificate into a Chrome instance

Complete this procedure to import a certificate to an instance of Chrome on a single user's machine.

To import a certificate into a Chrome instance:

  1. In the browser address bar, go to chrome://settings/.

  2. Navigate to the bottom of the page and click Advanced.

  3. Under Privacy and security, click Security.

  4. Under Security, click Manage certificates.

  5. In the certificates dialog, click the Trusted Root Certification Authorities tab.

  6. Click Import. The Certificate Import Wizard appears.

  7. Click Next.

  8. Browse to the certificate. Make sure you show All Files to find the certificate.

  9. After finding the certificate, click Next.

  10. Click Next until the import is complete.

  11. In the certificate, confirm the certificate information.

Next steps

After the certificate is activated in ETP, confirm that the certificate is used when navigating to a URL.

  1. Click the information icon in the browser address bar and click Certificate.

  2. After reviewing the general information such as the issuer and associated dates, click Details to view more information.

Import a certificate into a Firefox instance

Complete this procedure to import a certificate to an instance of Firefox on a single user's machine.

To import a certificate into a Firefox instance:

  1. In the address bar, enter about:preferences.

  2. Click Privacy & Security.

  3. Go to the Certificates settings.

  4. Click View Certificates.

  5. Click Authorities and click Import.

  6. Locate and select the file for import.

  7. In the Downloading Certificate dialog, verify the trust options and click OK. The certificate is listed under Authorities.

Next steps

After the certificate is activated in ETP, confirm that the certificate is used when navigating to a URL.

  1. Click the information icon in the browser address bar and click More information.

  2. After reviewing the general information such as the issuer and associated dates, click Details to view more information.

Import a certificate into an Internet Explorer instance

Complete this procedure to import a certificate to an instance of Internet Explorer (IE) on a single user's machine. This procedure applies to IE 11.

To import a certificate into an IE instance:

  1. In IE, go to Internet options:

    1. In the main menu, select Tools > Internet options.

    2. Click the gear icon and select Internet options.

  2. In the dialog, click the Content tab.

  3. Click Certificates.

  4. Click the Trusted Root Certificate Authorities tab.

  5. Click Import.

  6. Click Next.

  7. Browse or type the location where the certificate is stored, and click Next

  8. Make sure that Place all certificates in the following store is selected, and click Next.

  9. Click Finish.

Next steps

  1. Open the certificate and confirm information such as the issuer and expiration date is correct.

  2. After the certificate is activated in ETP, confirm the certificate is used when navigating to a URL:

    1. Right-click the webpage and select Properties.

    2. In the Properties dialog, click Certificates.

    3. View general information such as the issuer and associated dates. Click Details to view more information.


Did this page help you?