The Cato root certificate must be installed as a trusted certificate on every Client device that connects to the Cato Cloud. Installing the Cato certificate is mandatory for TLS Inspection and lets the Cato Cloud inspect traffic to and from the device.
We recommend that this is one of the first steps in any Cato deployment. It serves the following purposes:
- TLS Inspection: When TLS Inspection is enabled, the Cato root certificate is presented to the client as the issuer of every HTTPS website certificate. Web browsers do not trust Cato’s certificate by default, and the browser will display a certificate warning when a user visits an HTTPS website without Cato’s certificate installed. TLS Inspection is transparent to the end user if the Cato certificate is installed.
- Displaying HTTPS block pages: If TLS traffic is blocked by URL Filtering or Internet firewall rules, the Cato certificate allows access to Cato’s block page. You don't need to enable TLS Inspection does not need to block access to HTTPS websites. However, users will see a certificate warning instead of the block page if the Cato certificate isn't installed on their computer.
The process for installing the certificate is different for each operating system:
-
For Windows Clients the Cato certificate is automatically added to the Windows certificate store and supports the Chrome and Edge browsers
You can manually install the Cato certificate for other browsers (such as Firefox), use an Active Directory Group Policy Object (GPO), or use an MDM to install it with the browser, see Installing the Cato Certificate on Windows Devices
-
For macOS Clients, for organizations that use an MDM, the Cato certificate is automatically installed as part of the CA keychain
Otherwise, the SDP user manually installs the Cato certificate. For more information, see Installing the Cato Certificate on macOS Devices.
-
For iOS and Android Clients, the SDP user manually installs the Client or use an MDM to install the certificate with the Client. For more information, see Installing the Cato Certificate on iOS Devices or Installing the Cato Certificate on Android Devices.
-
The Cato certificate and Client installation files can be downloaded from the Client download portal
Microsoft recommends blocking internet access for Domain Controllers. Perform steps 1-3 below on a computer other than a Domain Controller.
To install the Cato root certificate on Windows devices with GPO:
- From the navigation menu, click Administration > Certificate Management.
-
From the actions menu for the certification, click Download CER and save the file with the Cato certificate.
-
Transfer the certificate file to a Domain Controller.
-
On the Domain Controller, go to Administrative Tools and then open Group Policy Management.
-
Right-click the top level domain and then select Create a GPO in this domain, and Link it here….
Note: If you want to use an existing GPO, skip to step 8.
-
Enter a name for the GPO and click OK.
-
Right-click the GPO created in the previous step or the existing GPO and select Edit….
-
Open Computer Configuration > Policies > Windows Settings > Security Setting > Public Key Settings, right-click the Trusted Root Certification Authorities folder, and then select Import….
-
Click Next on the Welcome to the Certificate Import Wizard window.
-
On the File to Import window, click Browse…, select the Cato certificate that you downloaded in step 3, and then click Open.
-
Click Next and make sure that Place all certificates in the following store is selected and the Certificate store shown is Trusted Root Certification Authorities.
-
Click Next. Verify that all the information is correct and click Finish.
The window states, The import was successful.
-
Click OK.
4 comments
How to import the Cato certificate to the Aruba controller for Guest Wifi?
Hi Aiman,
You may like to check with Aruba TAC on the exact/detailed steps (depending on the Aruba model/version and guest access configuration/method, based on you current setup).
Here is a link, for reference: https://community.arubanetworks.com/discussion/step-by-step-instructions-on-how-to-install-ssl-certificates-on-a-aruba-controller-in-gui
Thank you.
I am trying to download the Cato certificate so I can distribute it to my endpoints, and the instructions above (step 2) say do to this: From the navigation menu, click Administration > Digital Certificate.
But this menu does not exist in the Cato management application. Where is it?
Hi Jonathon,
Is this the certificate you are looking for?
In CMA > Security > Certificate Management:
Cheers!
Please sign in to leave a comment.