Your connection is not private

Well done!  Here is the related KB article.

Yes, where exactly is the SHA 256 Fingerprint for the Cisco Umbrella Root CA?. This certificate shows as, "Not Verified" on my iOS device.

Apple's website has a different fingerprint and serial number than the one shown in the "Cisco Umbrella Root CA" certificate.

Without a published Fingerprint hard to trust.

Here's the SHA1 fingerprint:

c5 09 11 32 e9 ad f8 ad 3e 33 93 2a e6 0a 5c 8f a9 39 e8 24

Thank you. Is this posted on the site somewhere or is it from your copy of the CA?

Can you explain what all of these warning messages mean? Am I giving Cisco access to all the data I send while browsing?

There is another setting in iOS under Settings>General>Certificate Trust Settings: Enable Full Trust For Root Certificates

The Cisco Umbrella Root CA is listed here with a slider to enable or not. Should we enable?

"Is this posted on the site somewhere or is it from your copy of the CA?"

This is from the certificate itself.

"Can you explain what all of these warning messages mean?"

You may want to raise a support ticket with OpenDNS if you are concerned.  We other users can hardly help you further.  We are generally in the same situation like you as user.

So wait, let me get this straight, to access https sites, I'm going to have to install this cert on any system that uses my network?  So when a guest comes to my house I have to hit them at the door with: Dude, you have to do this to use my WiFi?  Come on, how's that even remotely logical???  I cannot imagine why anyone would even consider using this service if you have to do that.

"to access https sites, I'm going to have to install this cert on any system that uses my network?"

No, in no way!  This browser certificate warning only appears if you attempt to visit a HTTPS site where you have the domain blocked with your OpenDNS dashboard settings anyway.  You simply can also accept or ignore this browser warning instead of installing the CA cert.  It's up to you.  The warning does never come up if you visit a HTTPS site normally where you did not block related domains.

It seems you didn't read the KB article https://support.opendns.com/hc/en-us/articles/227987007 at all.

So you're telling us that Cisco cannot afford to buy a real cert to do this?  For businesses using this how does that not cause TONS of confusion on networks such as guest access WiFi?  

I see, you still did not read that KB article, else you would have seen that you can download the real cert bought by Cisco from there.  Also, why are you concerned?  These domains which you access with HTTPS are blocked anyway by your settings, independent of if you get an OpenDNS block page or a browser warning.  You have achieved what you are looking for, that the domain is being blocked and you cannot access it.  That was the goal and purpose.

Actually Rotblitz, I did.  This is NOT a real cert.  A real cert would be issued by a root cert provider such that users don't have to install them manually. Imagine having to download a cert for every HTTPS site, say your bank, Amazon, Google, etc..???  Users would NEVER do that.  There's a reason why legit sites use real certs that don't require manual interaction.  

What you don't get is users get confused, frustrated, and contact who's ever in charge of the network about errors like this.  In a large business where certs can be deployed to users by group policy that's simple, but for a small business with a guest WiFi network, those guests are going to get errors and are going to pester the employees about the issues.  Why can't they buy a legit cert from a legit provider like Verisign or if they're too cheap, just get one from one of the super inexpensive SSL providers like RapidSSL or GoDaddy?

Ok, you might have read it, but you clearly didn't understand it.

"This is NOT a real cert."

The cert is issued by a CA root cert provider.  Cisco is such a certified provider, since ions.  Didn't know?

"Imagine having to download a cert for every HTTPS site"

Agreed, a nightmare!  Good that this is not needed at all.  Why do you think you have to download certs for every HTTPS site?  Not at all!  Why would you download a cert for a HTTPS site you don't want to have visited and therefore have its domain blocked at the dashboard?  No need!  It would be nonsense to do so.  The domain is being blocked anyway.

"guests are going to get errors and are going to pester the employees about the issues."

LOL, very unlikely.  If you were a guest and attempted to visit youporn.com, would you complain with your host or the employees that you couldn't access youporn.com, because you got a browser warning "Your connection is not private"?  Hardly!  Else you are extremely courageous.  (Well, after what you said, I could really imagine that you did it this way, not being aware of the reputation loss.)

"Why can't they buy a legit cert from a legit provider like Verisign"

I see, you didn't get that this cert is legit, and they are a provider like Verisign, and that this symptom would be for any certificate, no matter which one, also from Verisign.  I give up.  You don't want to understand.  It is your right in a free world to not understand.  Be it!

If it were a real root cert there would be NO need to download and install it.  That's how root certs work.  When you want to have a conversation about SSL certs, chaining, and non-root certs let me know, I'll be happy to explain them.  Until then, this is a jury rigged solution.  Also, when you spend 16 hours a day providing IT support let me know and we'll talk about what errors users bring to the powers-that-be.  Until then, have a nice day.

No, I only spend 8 hours per day with ICT, since 35 years.  Probably not enough...

As I said, it is your right to not understand.  I accept and tolerate this.

"If it were a real root cert there would be NO need to download and install it."

Fully correct, you say it.  There is no need to download and install it.  And it is a real root cert, but not published in the bundle of root certs by Microsoft, Apple, Google, etc.  It wouldn't make sense to publish it this way, with "only" 2% of the internet users using Cisco/OpenDNS services.  This "small" amount wouldn't justify to propagate it to every device in the world.