For information on why an SSL Certificate is required for SSL Inspection, see SSL Inspection.
You may choose to install a certificate manually, as per this article:
- For testing purposes on an individual client
- If your network has a small number of devices that need SSL or TLS Filtering
- If your network does not have any method of deploying a certificate
Note: If your network has a number of Windows devices, you may prefer to deploy the certificates via Group Policy (if you have an Active Directory server) or using a script.
Prerequisite requirement: Device Certificate Issue due to TLS version Requirement
To ensure secure and reliable connectivity, all devices must use TLS version 1.2 or higher.
Devices using older versions (TLS 1.0 or 1.1) are no longer supported due to known security vulnerabilities and will be unable to connect through the network when ETI is enabled.
If your device is not compatible with TLS 1.2, you may experience connection failures or intermittent service.
What you need to do:
- Check your device or application settings and ensure TLS 1.2 (or higher) is enabled
- Upgrade end devices firmware if TLS 1.2 is not supported.
Considerations
When installing certificates manually onto devices which run Microsoft Windows, some additional steps are required to maintain maximum security, this involves installing the certificate into the correct location and certificate store during the certificate installation wizard. There are two options to choose from.
| Store Location | Use Case |
|---|
| Local Machine Store | Where the device will be used by multiple users |
| Current User Store | Where the device will be used by only one staff member/student, or where only one user may have consented to having their secure traffic inspected. |
Installing an SSL or TLS Certificate (as a Trusted Root Certification Authority)
1. Download the certificate file from the Managed Network SSL and TLS Certificates page.
NOTE: TLS Certificates are used for schools preparing for, or that have completed their Managed Network Upgrade (Palo Alto firewalls). SSL Certificates remain valid until migration (Fortigate firewalls).
2. Right-click on the certificate file, and choose Open. You may see a Security Warning window. If so, choose Open.
3. The Certificate window will appear. Click Install Certificate...
4. Choose a Store Location (see Considerations above) and click Next.
5. Select Place certificates in the following store and click Browse.
6. Choose the Trusted Root Certification Authorities store. Click OK.
7. Click Next.
8. Click Finish.
9. You may get a Security Warning message. If so Click Yes.
10. A pop up stating that the import was successful will appear. Click Ok.
When To Perform These Steps
Installing an SSL or TLS certificate is usually required after configuring SSL or TLS Filtering for the first time, or when the certificate has expired or been re-issued.
If you are installing certificates manually on all of your Windows devices, these steps will need to be performed on each new device that is to be subject to SSL or TLS Filtering.
