Install the CleanBrowsing Root CA certificate to prevent SSL/TLS warnings when accessing blocked HTTPS pages. Required for block pages to display correctly.
When CleanBrowsing blocks an HTTPS website, it serves a block page in place of the requested site. The block page certificate is signed by the CleanBrowsing Root Certificate Authority. Without installing this CA certificate, your browser will display SSL/TLS security warnings such as:
Installing the Root CA certificate tells your browser to trust CleanBrowsing's block page certificates, allowing the block page to display cleanly without security warnings.
Download the CleanBrowsing Root CA certificate file from:
Download CleanBrowsing Root CA (.crt)
Direct URL: https://my.cleanbrowsing.org/download/CleanBrowsing-Filter-BlockPage-CA.crt
Save the file to a location you can easily find, such as your Downloads folder.
This method works for Internet Explorer, Edge, and Chrome (which use the Windows certificate store):
CleanBrowsing-Filter-BlockPage-CA.crt fileRestart your browser for the change to take effect.
For scripted or automated deployments, use certutil from an elevated Command Prompt (Run as Administrator):
certutil -addstore -enterprise -f Root CleanBrowsing-Filter-BlockPage-CA.crt
This installs the certificate into the Local Machine's Trusted Root Certification Authorities store, making it available to all users on the computer.
To verify the certificate was installed:
certutil -store Root "CleanBrowsing"
GUI method:
.crt file to open it in Keychain AccessTerminal method:
# Download the certificate
wget -P ~/Downloads https://my.cleanbrowsing.org/download/CleanBrowsing-Filter-BlockPage-CA.crt
# Install to the System keychain
sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic \
-k /Library/Keychains/System.keychain \
~/Downloads/CleanBrowsing-Filter-BlockPage-CA.crt
You will be prompted for your administrator password.
Debian / Ubuntu:
# Download the certificate
wget https://my.cleanbrowsing.org/download/CleanBrowsing-Filter-BlockPage-CA.crt
# Copy to the trusted certificates directory
sudo cp CleanBrowsing-Filter-BlockPage-CA.crt /usr/local/share/ca-certificates/
# Update the certificate store
sudo update-ca-certificates
Red Hat / CentOS / Fedora:
# Download the certificate
wget https://my.cleanbrowsing.org/download/CleanBrowsing-Filter-BlockPage-CA.crt
# Copy to the anchors directory
sudo cp CleanBrowsing-Filter-BlockPage-CA.crt /etc/pki/ca-trust/source/anchors/
# Update the certificate store
sudo update-ca-trust
Note: Linux system certificate stores are used by Chrome and most applications, but Firefox uses its own certificate store (see next step).
Firefox uses its own certificate store, separate from the operating system. You must install the certificate within Firefox even if you already installed it at the OS level:
CleanBrowsing-Filter-BlockPage-CA.crt fileRestart Firefox for the change to take effect.
For organizations managing multiple Windows computers, deploy the certificate via Group Policy:
Important: Group Policy certificate deployment applies to Internet Explorer, Edge, and Chrome. Firefox requires separate configuration or enabling the security.enterprise_roots.enabled setting in Firefox to read from the Windows certificate store.
Android requires you to install the certificate through the Security settings. The CleanBrowsing VPN Debug app can download the certificate to your Downloads folder automatically, or you can download it manually first.
Download the certificate to your device:
Tap the download button above or use the CleanBrowsing VPN Debug app's Install Block Page CA Cert button — it saves the file to your Downloads folder.
Install from device storage:
Note: The exact path may differ slightly depending on your Android version and manufacturer. Common variations:
Once installed, Chrome and other browsers will recognize the CleanBrowsing block page certificate and display block pages cleanly instead of showing SSL warnings.
Important: On Android 7 and higher, user-installed CA certificates apply to browser traffic but not to app traffic (apps that use certificate pinning or set their own trust anchors). For full HTTPS block page visibility, install the certificate on the device and use the device's browser.
After installing, you can confirm the certificate landed in the correct trust store with a quick command-line check. Run the command for your OS and look for the CleanBrowsing certificate in the output.
Windows (PowerShell, run as Administrator):
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*CleanBrowsing*"}
If installed correctly, the command returns the certificate's Thumbprint and Subject line. No output means the certificate isn't in the Local Machine Trusted Root store — it may have been installed under Current User instead, which won't apply to all browsers and services.
macOS (Terminal):
security find-certificate -a -c "CleanBrowsing" /Library/Keychains/System.keychain
This searches the System keychain for any certificate matching "CleanBrowsing". A successful install returns the certificate details. Empty output means the cert wasn't added to the System keychain (or was added to the Login keychain instead, which only applies to the current user).
Linux (Debian / Ubuntu):
ls /usr/local/share/ca-certificates/ | grep -i cleanbrowsing
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' /etc/ssl/certs/ca-certificates.crt | grep -i cleanbrowsing
The first command confirms the certificate file was copied to the source directory. The second confirms the certificate was merged into the system trust bundle after running update-ca-certificates.
Linux (RHEL / Fedora / CentOS):
trust list | grep -A 3 -i cleanbrowsing
Returns the certificate label and trust anchor entry when properly installed via update-ca-trust extract.
Android (with adb, developer-enabled device):
adb shell ls /data/misc/user/0/cacerts-added/
Lists user-installed CA certificates. The CleanBrowsing CA appears here once installed through the Settings flow in Step 9.
End-to-end browser test: The fastest functional check is to visit a blocked HTTPS site in your browser. If the block page renders cleanly without an SSL warning, the certificate is trusted correctly for that browser. If you still see a security warning, the certificate either didn't land in the correct store or you are using a browser (like Firefox) that maintains its own independent trust store — see Step 7 for Firefox-specific installation.