Installing the Root Certificate for TLS Inspection

Installing the Cato Root Certificate on End-user Devices

The Cato root certificate must be installed as a trusted certificate on every Client device that connects to the Cato Cloud. Installing the Cato certificate is mandatory for TLS Inspection and lets the Cato Cloud inspect traffic to and from the device.

We recommend that this is one of the first steps in any Cato deployment. It serves the following purposes:

  • TLS Inspection: When TLS Inspection is enabled, the Cato root certificate is presented to the client as the issuer of every HTTPS website certificate. Web browsers do not trust Cato’s certificate by default, and the browser will display a certificate warning when a user visits an HTTPS website without Cato’s certificate installed. TLS Inspection is transparent to the end user if the Cato certificate is installed.
  • Displaying HTTPS block pages: If TLS traffic is blocked by URL Filtering or Internet firewall rules, the Cato certificate allows access to Cato’s block page. You don't need to enable TLS Inspection does not need to block access to HTTPS websites. However, users will see a certificate warning instead of the block page if the Cato certificate isn't installed on their computer.

Installing the Cato Root Certificate for an End User

The process for installing the certificate is different for each operating system: 

Installing the Root Certificate for the Windows Domain

Microsoft recommends blocking internet access for Domain Controllers. Perform steps 1-3 below on a computer other than a Domain Controller.

To install the Cato root certificate on Windows devices with GPO:

  1. From the navigation menu, click Administration > Certificate Management.
  2. From the actions menu for the certification, click Download CER and save the file with the Cato certificate.

  3. Transfer the certificate file to a Domain Controller.

  4. On the Domain Controller, go to Administrative Tools and then open Group Policy Management.

  5. Right-click the top level domain and then select Create a GPO in this domain, and Link it here….

    Note: If you want to use an existing GPO, skip to step 8.

    360002921098-image-2.png
  6. Enter a name for the GPO and click OK.

  7. Right-click the GPO created in the previous step or the existing GPO and select Edit….

    360002921398-image-4.png
  8. Open Computer Configuration > Policies > Windows Settings > Security Setting > Public Key Settings, right-click the Trusted Root Certification Authorities folder, and then select Import….

  9. Click Next on the Welcome to the Certificate Import Wizard window.

  10. On the File to Import window, click Browse…, select the Cato certificate that you downloaded in step 3, and then click Open.

  11. Click Next and make sure that Place all certificates in the following store is selected and the Certificate store shown is Trusted Root Certification Authorities.

    360002921618-image-8.png
  12. Click Next. Verify that all the information is correct and click Finish.

    The window states, The import was successful.

  13. Click OK.

Was this article helpful?

4 out of 4 found this helpful

4 comments

  • Comment author
    Aiman Almesbahi
    • Edited

    How to import the Cato certificate to the Aruba controller for Guest Wifi?

  • Comment author
    Michael Saw Keeper of positive, active, and healthy conversations. Community moderator Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer

    Hi Aiman, 
    You may like to check with Aruba TAC on the exact/detailed steps (depending on the Aruba model/version and guest access configuration/method, based on you current setup).
    Here is a link, for reference: https://community.arubanetworks.com/discussion/step-by-step-instructions-on-how-to-install-ssl-certificates-on-a-aruba-controller-in-gui 
    Thank you.

  • Comment author
    Jonathan Snyder

    I am trying to download the Cato certificate so I can distribute it to my endpoints, and the instructions above (step 2) say do to this: From the navigation menu, click Administration > Digital Certificate.

    But this menu does not exist in the Cato management application. Where is it?

  • Comment author
    Michael Saw Keeper of positive, active, and healthy conversations. Community moderator Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer

    Hi Jonathon, 
    Is this the certificate you are looking for?

    In CMA > Security > Certificate Management:

    Cheers!

Add your comment