If your school uses Microsoft Active Directory:

1.Download the certificate from the link above.

2.Create a (or update an existing) Group Policy Object targeting all the computers in your domain. You can do this using Group Policy Management Console on your Domain Controller.

3.Edit the Group Policy Object and navigate to Computer Configuration\Windows Settings\Security Settings\Public Key Policies\.

4.Right-click Trusted Root Certification Authorities and press Import... Follow the wizard, browsing to the downloaded certificate file when prompted.

This will now deploy the certificate to all the Windows PCs on your network. Please give plenty of time for the devices to pick up the certificate before enabling decryption on your policies.

More information about deploying certificates through Group Policy can be found here: Distribute Certificates to Client Computers by Using Group Policy.

This would resolve certificate issues for Microsoft Edge and Chrome. Please note if you use Firefox will still require a separate certificate installation.

If you are planning to deploy certificates via Intune:

1.Download the certificate from the link above.

2.Log into Intune and go to Devices > Windows > Configuration Profiles.

3.Create a new profile, select Windows 10 or later and choose the Template profile type.

4.Select the Trusted Certificate template (you can search for this) and click Create.

5.Enter a name and description, for example, “LGfL Decryption Certificate” then click Next.

6.Use the blue folder icon to browse for the downloaded certificate. Ensure the Destination Store is set to Computer certificate store – Root and click Next.

7.Click Add all devices then Next.

8.On the Applicability Rules page, leave everything blank and click Next.

9.Click Create on the last page.

The certificate will now be deployed to all enrolled devices.

More information about deploying certificate through Intune can be found here: Trusted root certificate profiles for Microsoft Intune

First, download the certificate to the local computer, using the download link provided above.

Microsoft Edge

Download the certificate to the local computer. If you download it using Microsoft Edge, you can easily install it straight after. When you enter the download link into the address bar, a message will come up at the bottom or top-right of the screen. Click Open. If you get a security warning after clicking Open, click Open again.   Bottom of the screen Top-right of the screen   The next window will open. Click on the General tab (if not selected by default) then click Install Certificate.   Here you have the option to either apply this to the current user that is logged in or the local machine, we would recommend the latter. If you get any permissions warning, click on Yes.   The next pop-up should ask you where to store the certificate.   Select the second option (if not selected) and click Browse. That will open another window.     Select Trusted Root Certification Authorities and click OK. Then click Next, then Finish and you will get a pop-up to confirm you would like to install the item. Click Yes and the process is completed.   You should see a confirmation pop-up on screen.

Chrome browser

For Chrome, the certificate needs to be installed into the operating system rather than into the browser. When you enter the download link into the address bar, a message will come up at the bottom of the screen. Click Open.       Click Open again.   This will produce another pop-up. Click Install Certificate.   Here you have the option to either apply this to the current user that is logged in or the local machine, we would recommend the latter. If you get any permissions warning, click on Yes.   The next pop-up should ask you where to store the certificate.   Select the second option (if not selected) and click Browse. That will open another window.     Select Trusted Root Certification Authorities and click OK. Then click Next, then Finish and you will get a pop-up to confirm you would like to install the item. Click Yes and the process is completed.   You should see a confirmation pop-up on screen.

Firefox

Firefox requires you to install the certificate directly to the browser rather than the local machine. When you enter the download link into the address bar, a message will come up at the top-right of the screen. Click Open. If you get a security warning, click OK.       Click Open again.     This will produce another pop-up. Click OK to close the pop-up.   Now go back to the Firefox browser, click on Menu (burger icon) at the top-right then Settings.   Go to Privacy & Security then scroll down till you see Certificates and click on View Certificates...   The following pop-up would appear, make sure you are on the Authorities tab and click on Import.     Browse to where you downloaded the certificate earlier, most likely your Downloads folder. Once you have found the certificate, click Open on it.     A new window will open asking what you want to trust the certificate for. Tick to Trust this CA to identify web sites and click OK. The certificate should now be installed and all the dialogue windows can be closed.

Mac users will need to install a certificate for the operating system only. This is done via the Keychain for users who have admin rights to the computer.

Enter the download link to the Safari browser and you will get a pop-up to confirm that you would like to Allow this download.

Once downloaded, go to your downloaded section and click on the certificate.

This will open up another pop-up, make sure to add it to the System Keychain so that it will affect the whole machine after than a specific user and click Add.

You may be need to enter your password.

Once added, please go to the Keychain application it should look like the image below:

From within the Keychain application, go to System from the left-side panel, scroll down until you see the certificate called LGfL SchoolProtect HTTPS Decryption and double click on it.

When viewing the certificate, open up the Trust section and change the When Using this certificate to Always Trust. Upon clicking close you will be need to enter your password again.

The certificate is now added to your device.

For both iPhone and iPad, the certificate will be installed into the operating system in a very simple process.

Open Safari and enter the download link, this will produce a pop-up from which you can perform the installation.

Touch Allow.

Close the pop-up and leave the Safari browser.

Go to Settings and you may search for VPN, Device Management or Profile and the correct option should appear, click on VPN & Device Management

From here you will see under Downloaded Profile that there is an option for LGfL SchoolProtect HTTPS Decryption, click on it.

Now click on Install, you may need to enter your password.

Click Install again.

The certificate is now downloaded onto your device.

Enter the download link to your browser of choice, in this example we are using Google Chrome.

Once entered it will download the certificate to your device's download folder. A warning will be given to download it from Settings instead so you can click Close.

Go to Settings, search for "certificate" and there should be an option for CA certificate.

You may get a warning similar to the image below, you can click Install anyway.

Click on CA certificate, it may ask you to enter the PIN or fingerprint for confirmation.

Browse to where you have downloaded the certificate, it should be in your download folder by default.

     

You should get a pop-up at the bottom to confirm that it has been added.

These instructions are based on Meraki (claim your free licenses at meraki.lgfl.net). The process will be similar for other MDMs, please consult the vendor documentation for how to install Root CA Certificates.

1.Download the certificate from the link above.

2.Log into Meraki and ensure you are in the correct network for your school.

3.Hover over Systems Manager and click Settings.

4.Create a new profile using the + Add Profile button.

5.Choose Device Profile (default) and click Continue.

6.Give the profile a name, for example, “LGfL Decryption Certificate” and set the scope to All Devices.

7.Click + Add Settings on the left-hand side and choose Certificate.

8.Give the certificate a name (you can use the same name as in the earlier step), select System for CertStore and leave the Password box empty.

9.Click Choose File to select and upload the downloaded certificate. Once uploaded, you should see the following details:

                Filename: sslfiltx.crt

                Issuer: LGfL SchoolProtect HTTPS Decryption

                Subject/CN: LGfL SchoolProtect HTTPS Decryption

                Expiration: May 13, 2032

10. Save the profile.

This will now deploy the certificate to all enrolled devices.

More information about deploying certificates through Meraki System Manager can be found here: Certificates Payload (Pushing Certificates).

Please note: most Android apps do not support HTTPS decryption and exclusions will need to be added in the SchoolProtect interface.

If you are planning to deploy certificates on Chrome OS devices:

1.Download the certificate from the link above.

2.Log into your Google Admin console: admin.google.com

3.Go to Menu and then Devices > Networks.

4.Go to Certificates.

5.Leave the top organizational unit selected to apply the certificate to all Chrome devices.

6.Click Create certificate.

7.Enter a name for the certificate, e.g. “LGfL Decryption Certificate”

8.Click Upload and select the certificate downloaded from the above link.

9.Tick Enabled under Chromebook.

10. Click Add.

This will now deploy the certificate to all enrolled devices.

Please note: Chromebooks must be set up on a policy or IP range that does not have HTTPS decryption enabled. Once they have been enrolled into the Google Admin Console, they can be connected to the network with HTTPS decryption enabled. You can set up an IP exclusion in SchoolProtect that you can use to allow devices to be enrolled and pick up the certificate.

More information about deploying certificates to ChromeOS devices can be found here: Set up TLS (or SSL) inspection on Chrome devices.

After installing the certificate onto your device, you can verify if it was correctly installed by visiting:

http://certificatecheck.lgfl.org.uk/

Upon visiting the website, it will tell you if the certificate was installed correctly or not.

       

Please note: if you have visited this website beforehand, the message may not be correct unless you have cleared your cache.