Root Cert to Endpoints

While root certificates are
SSL Interception
is enabled,  the best practice is to install the
Web Security Service
root certificates on all client endpoints independent of the SSL setting. One reason is that a majority of social networking sites use SSL, which means
must perform some SSL interception for policy checks and enforcement. Without the certificates, clients receive
Untrusted Issuer
warnings, which generates support/IT inquiries and loss of productivity.
All Intermediate CAs used for certificate emulate are signed with SHA-2 (SHA256).

Best Practice—Replacing a Certificate

If you are replacing an existing root certificate with a new one, the best practice is to add the new certificate to the browser-trusted list before removing the existing one. This prevents service disruptions.

Procedure: Obtain Certificate and Propagate

Step 1—Download the
Root Certificate.
If you previously completed this, proceed to
Step 2
If you enable SSL Interception, users receive a security warning dialog each time they attempt to browse an encrypted (HTTPS) website because their browser does not recognize the certificate returned by
. To prevent this security prompt, download the certificate and propagate it to all client browsers.
Ensure that
root certificate is installed on all clients. For clients with
WSS Agent
on the endpoints, this is automatically installed and applied to Internet Explorer, Edge and Google Chrome. If your organization uses Firefox or another browser that has its own certificate store, this certificate must to be installed directly into that web browsing application.
  1. Navigate to
    Policy > TLS/SSL Interception
  2. Expand the
    TLS/SSL Interception Certificate
  3. Click
  4. Move the downloaded certificate to an internally accessible location, such as a server that hosts applications provided by IT.
Step 2—Distribute or install the certificate on supported browsers.
Use an endpoint management application to propagate the certificate to all supported client browsers.
The alternative method is to send out the link to the certificate location and instruct users how to install it.  Select the following links for browser-specific installation instructions.