https://community.cisco.com/t5/network-security/how-to-import-a-certificate-used-for-dpi-non-domain-machine/m-p/4010764#M1010283 Hi,<BR />Chrome doesn't check the Windows local Certificate store, you will need to import the certificate into Chrome application via it's security settings options, the same applies to Firefox.<BR /><BR />HTH Mon, 13 Jan 2020 21:13:14 GMT Rob Ingram 2020-01-13T21:13:14Z https://community.cisco.com/t5/network-security/how-to-import-a-certificate-used-for-dpi-non-domain-machine/m-p/4010760#M1010281 <P>What is the procedure to use to import a certificate to be trusted for DPI for a Windows 10 machine that is not on the domain? I tried exporting the root-ca from our CA as x509 format and imported that to local computer trusted root authorities, but that didn't work. I get&nbsp;NET::ERR_CERT_AUTHORITY_INVALID in Chrome when testing. My policy is working for a domain connected PC on my FTD appliances. They all share the same SSL/ACP policy.</P> Mon, 13 Jan 2020 21:08:25 GMT https://community.cisco.com/t5/network-security/how-to-import-a-certificate-used-for-dpi-non-domain-machine/m-p/4010760#M1010281 ryan14 2020-01-13T21:08:25Z https://community.cisco.com/t5/network-security/how-to-import-a-certificate-used-for-dpi-non-domain-machine/m-p/4010764#M1010283 Hi,<BR />Chrome doesn't check the Windows local Certificate store, you will need to import the certificate into Chrome application via it's security settings options, the same applies to Firefox.<BR /><BR />HTH Mon, 13 Jan 2020 21:13:14 GMT https://community.cisco.com/t5/network-security/how-to-import-a-certificate-used-for-dpi-non-domain-machine/m-p/4010764#M1010283 Rob Ingram 2020-01-13T21:13:14Z https://community.cisco.com/t5/network-security/how-to-import-a-certificate-used-for-dpi-non-domain-machine/m-p/4010770#M1010285 <P>Thanks for the reply. Are you sure about that? I didn't have to import anything on my domain connected PCs for the cert to be recognized by any browser (Chrome, FF, Edge, IE).</P> Mon, 13 Jan 2020 21:26:54 GMT https://community.cisco.com/t5/network-security/how-to-import-a-certificate-used-for-dpi-non-domain-machine/m-p/4010770#M1010285 ryan14 2020-01-13T21:26:54Z https://community.cisco.com/t5/network-security/how-to-import-a-certificate-used-for-dpi-non-domain-machine/m-p/4010782#M1010287 Yes, sorry it seems I was incorrect, Chrome does use the underlying OS certificate store.<BR />Does it work if you add the certificate to the local user trusted certificate store? Mon, 13 Jan 2020 21:40:09 GMT https://community.cisco.com/t5/network-security/how-to-import-a-certificate-used-for-dpi-non-domain-machine/m-p/4010782#M1010287 Rob Ingram 2020-01-13T21:40:09Z https://community.cisco.com/t5/network-security/how-to-import-a-certificate-used-for-dpi-non-domain-machine/m-p/4011213#M1010291 <P>Yes it does. Very strange. Any idea why it would work for Current User but not Local Computer?</P> Tue, 14 Jan 2020 14:16:24 GMT https://community.cisco.com/t5/network-security/how-to-import-a-certificate-used-for-dpi-non-domain-machine/m-p/4011213#M1010291 ryan14 2020-01-14T14:16:24Z https://community.cisco.com/t5/network-security/how-to-import-a-certificate-used-for-dpi-non-domain-machine/m-p/4011217#M1010292 At a guess (not being a Microsoft expert) but I imagine it is because if the computer is not joined to an AD domain the local computer certificate store is not used. Tue, 14 Jan 2020 14:22:29 GMT https://community.cisco.com/t5/network-security/how-to-import-a-certificate-used-for-dpi-non-domain-machine/m-p/4011217#M1010292 Rob Ingram 2020-01-14T14:22:29Z