Read Me
Use this guide to install the Cisco Umbrella Root CA certificate for Linux. Please don’t use this guide to install the certificate in Windows or cook up a spaghetti bolognese (sorry!).
Below are the Linux operating systems I’ve installed the certificate and verified functionality:
- RHEL
7.x,8.x - Alma Linux
8.x,9.x - CentOS
7.x,8.x - Ubuntu LTS
20.x,22.x
What Certificate
If you have Cisco Umbrella for DNS security, you’ll want to install their root certificate everywhere possible; it warrants going as far as to print and stick it on the fridge door - OK, maybe too far…
IP Layer Enforcement, Intelligent Proxy, SSL Decryption and blocking of custom URLs are just several features that require the Cisco Umbrella certificate to be installed. With the certificate, we can use said features that significantly add to your security posture.
Even if you don’t currently utilise these features, it is better to sort the certificate installation immediately. Bake them into templates. Please do whatever you can to get it rolled out to your existing infrastructure. One day you’ll be sure that you can flip on those features - whether intentional or accidental - without worrying about breaking a box or two.
Why Install Said Certificate
Hypothetically, say you don’t have the Cisco Umbrella root certificate installed in your environment. One day, if you or a colleague switch on a feature like Intelligent Proxy (which requires the Cisco Umbrella certificate to be installed), someone will have a wrong time!
You may not immediately experience any issues at all. That’s because some URLs visited are well-known and or categorised. However, Umbrella will soon come across URLs that don’t match known categories or are seen as “grey domains”, i.e. not a good domain but neither a bad domain either, more of a neutral domain, just like Switzerland. When this happens, you will have certificate errors both at the CLI and GUI.
Here is one example of certificate errors within AlmaLinux. Though somewhat misleading, we have some form of idea as to what’s up.
At first glance, you may be misled as to the error. Rest assured, it is all due to the lack of the Cisco Umbrella certificate.
Take another screenshot, but this time from Ubuntu. The certificate error is clear and concise as to what’s up.
The same scenario as before, but with Ubuntu, the error is a lot more helpful!
For a sanity check of sorts, we can double down by confirming the problematic boxes in Umbrella. By running an Activity Search, we see the exact URL logged in Umbrella and the action of selectively proxied. This confirms Umbrella is intercepting and proxying DNS queries and, thus, the root cause of failing services, applications and commands from the previous computers!
Search activity confirming the problematic URL for the box.
Now we can move on to the bash commands for converting the certificate, moving the certificate to the correct directory, and installing the certificate.
Linux Certificate Installation
This section covers the certification installation for RHEL and Ubuntu.
RHEL and its Derivatives (CentOS, AlmaLinux etc.)
We can use the same commands and paths to install the certificate for all relative distributions; again, no reboots are needed!
Confirm you are still getting certificate errors. Run
wgetwith the problematic URL (test a URL you have confirmed is proxied in your environment), e.g.wget packages.endpointdev.com.The certificate provided by Cisco Umbrella is a CER extension. Convert to CRT with:
openssl x509 -inform PEM -in Cisco_Umbrella_Root_CA.cer -out cisco_umbrella_root_ca_certificate.crt ### IF you get PEM errors, you may need to switch to DER encoding by using the command below. # openssl x509 -inform DER -in certificate_name.cer -out certificate_name.crtCopy or move the newly converted CRT certificate to the system-wide trust store.
sudo mv cisco_umbrella_root_ca_certificate.crt /etc/pki/ca-trust/source/anchors/Consolidate certificates and add to the CA trust store.
sudo update-ca-trustFinally, rerun
wgetto see if you get anHTTP 200! The Cisco Umbrella certificate is now implicitly trusted!wget packages.endpointdev.com
This concludes the certificate installation for RHEL and its derivatives. The following section covers the certificate installation for Ubuntu.
Ubuntu
The bash commands are pretty much the same for Ubuntu. The deviation is only with the directory for the certificate and the command to update the certificate store. Again, no reboot is required.
Confirm you are getting certificate errors. Run
wgetwith the problematic URL (use a URL you have confirmed is proxied within your environment).wget packages.endpointdev.comThe certificate provided by Cisco Umbrella is of CER extension. Convert to CRT so they are included by a later command to update CA certificates.
openssl x509 -inform PEM -in Cisco_Umbrella_Root_CA.cer -out cisco_umbrella_root_ca_certificate.crt ### IF you get PEM errors, you may need to switch to DER encoding by using the command below. # openssl x509 -inform DER -in certificate_name.cer -out certificate_name.crtCopy or move the newly converted CRT certificate to the system-wide trust store.
sudo cp cisco_umbrella_root_ca_certificate.crt /usr/local/share/ca-certificates/Execute the command to update the certificate authority file. You’ll get the output that a certificate was added.
sudo update-ca-certificatesFinally, rerun
wgetagain to see if you get anHTTP 200! The Cisco Umbrella certificate is now implicitly trusted!wget packages.endpointdev.com
This concludes the Umbrella certificate install for Ubuntu.
Conclusion
Consider adding the Cisco Umbrella certificate to golden images or templates so that all future deployments have the certificate installed.
Remember, the Cisco certificate is also available to install on other platforms, such as:
- Microsoft Windows
- macOS
- ChromeOS
- Mobile devices