Understanding When the Cisco Umbrella Root Certificate Is Required

MuathA. · ‎11-11-2025

I'm trying to understand when the Umbrella root certificate is needed.

I have just deployed the Umbrella VAs and configured my PCs to use the VAs as their DNS server.

In my Umbrella policy, both Intelligent Proxy and SSL Decryption are unchecked. However, when I go to Google or any other website, I get an SSL warning.

Is this normal? Why am I getting this warning if Intelligent Proxy and SSL Decryption are disabled?

Also, after I installed the Umbrella root certificate on my PC and visited google.com again, the SSL warning disappeared. However, the certificate shown in the browser is still Google’s certificate, not a Cisco Umbrella certificate.

This is confusing, and I'm trying to understand how this behavior works.

MuathA. · ‎11-11-2025

.

Royalty · ‎11-11-2025

Hi @MuathA.,

The Umbrella Trusted Root Certificate is not strictly required for the Umbrella Block Page to function on all websites but is required for the majority, e.g. websites that enforce HSTS or use HTTPS. Therefore, the recommendation and general guidance is that the Umbrella Block Page is only supported and has consistent behaviour for 'managed' devices with the Umbrella Trusted Root Certificate installed. If sites on the HSTS list were blocked they would never display the block page (some examples are twitter.com and reddit.com). They will have SSL errors with an HSTS warning.

Umbrella Block Pages (block.opendns.com) are served with a certificate signed by Identrust (Umbrella previously used DigiCert recently) but this is for a different CN than the one associated with the original requested website which again comes back to the issues with serving block pages for sites accessed over HTTPS.

However, your circumstance sounds slightly different. You should not be getting any warnings for websites that are not blocked (those that are allowed). Could it be that your policy is extremely restrictive at the moment?

The PDNS function in Umbrella (DNS Filtering) should not tamper with any websites that aren't subject to blocking. A website is blocked through DNS returning the IP address of an Umbrella Block Page instead of the true IP address of the original destination website. This behaviour would of course change when the Intelligent Proxy or SafeSearch is enabed. Other than that, allowed websites just go through normal DNS resolution and then normal HTTP/S and TCP/IP communication.

To summarise, the Umbrella Trusted Root Certificate (in terms of DNS Filtering) is needed for the following uses:

Displaying the Umbrella Block Page
Using the Intelligent Proxy w/ SSL Decryption

The results should be:

Some blocked websites should still load the Umbrella Block Page without the Umbrella Trusted Root Certificate e.g. HTTP sites. Sites that are capable of HTTPS may load if the domain is entered without specifying the protocol (that is, without specifying https://). The block page will never load for those not on the HSTS list and without the Umbrella Trusted Root Certificate
Any website that is allowed should work normally unless the Intelligent Proxy w/ SSL Decryption is enabled. The site may be allowed in the policy but considered risky as per the Umbrella 'grey' domain list, in which case it would be proxied and need the Umbrella Trusted Root Certificate for decrypt, inspect and re-sign.

Are you able to reproduce this issue again when you remove the Umbrella Trusted Root Cert from your machine's trusted root certificate store? If you're able to then we can test why whilst it's in the broken state. It would be good to see the policy that you have configured as well as see what the IP addresses are that have been resolved through DNS for the sites that are getting the SSL errors. For example, if shopping.com was displaying an SSL error before we installed the Root Cert, what did the DNS resolve to for shopping.com under that non-working condition

Let me know if that sparks any further questions...