Installing the Root Certificate for TLS Inspection

Installing the Cato Root Certificate on End-user Devices

The Cato root certificate must be installed as a trusted certificate on every Client device that connects to the Cato Cloud. Installing the Cato certificate is mandatory for TLS Inspection and lets the Cato Cloud inspect traffic to and from the device.

We recommend that this is one of the first steps in any Cato deployment. It serves the following purposes:

• Displaying HTTPS block pages: If TLS traffic is blocked by URL Filtering or Internet firewall rules, the Cato certificate allows access to Cato’s block page. You don't need to enable TLS Inspection does not need to block access to HTTPS websites. However, users will see a certificate warning instead of the block page if the Cato certificate isn't installed on their computer.
• TLS Inspection: When TLS Inspection is enabled, the Cato root certificate is presented to the client as the issuer of every HTTPS website certificate. Web browsers do not trust Cato’s certificate by default, and the browser will display a certificate warning when a user visits an HTTPS website without Cato’s certificate installed. TLS Inspection is transparent to the end user if the Cato certificate is installed.

There are two ways to install the Cato root certificate:

1. End users can download the certificate from the Cato User Portal and install the certificate themselves.
2. In a Windows domain environment, Cato system admins can install the Cato certificate on all Windows domain-joined computers using an Active Directory Group Policy Object (GPO).

Installing the Cato Root Certificate for an End User

To install the Cato root certificate from the Cato User Portal:

1. Browse to https://myvpn.catonetworks.com and sign in with your Cato VPN user credentials or SSO (if enabled).
2. Click DOWNLOAD CATO CERTIFICATES.
3. Click on your operating system and then click DOWNLOAD CERTIFICATE.
4. Instructions for installing the Cato certificate are available by clicking the More Info link on the certificate download page. The table below contains links to the certificate installation guides for each operating system. (Cato TLS Inspection isn't supported for Linux Clients.)
   • Windows
   • MacOS
   • iOS
   • Android
     Note: TLS Inspection is not supported on Android 7.0 and above. Google removed the ability to install trusted third-party certificates starting with Android 7.0.

Installing the Root Certificate for the Windows Domain

To install the Cato root certificate on Windows computers with GPO:

Microsoft recommends blocking internet access for Domain Controllers. Run steps 1-3 below on a computer other than a Domain Controller.

1. Log in to the Cato Management Application.
2. In the Navigation panel, click  (System) > Digital Certificates.
3. Click the Download CER file link.
4. Transfer the downloaded certificate file to a Domain Controller.
5. On the Domain Controller, go to Administrative Tools and then open Group Policy Management.
6. Right-click on the top level domain and then select “Create a GPO in this domain, and Link it here…”.
   Note: If you want to use an existing GPO, skip to step 8.
   
7. Enter a name for the GPO and click OK.
8. Right-click the GPO created in the previous step or the existing GPO and select “Edit…”.
9. Open Computer Configuration > Policies > Windows Settings > Security Setting > Public Key Settings, right-click the Trusted Root Certification Authorities folder, and then select Import….
10. Click Next on the Welcome to the Certificate Import Wizard window.
11. On the File to Import window, click Browse…, select the Cato certificate that you downloaded in step 3, and then click Open.
12. Click Next and make sure that Place all certificates in the following store is selected and the Certificate store shown is Trusted Root Certification Authorities.
    
13. Click Next. Verify that all the information is correct and click Finish.
    The window states, The import was successful.
14. Click OK.