Install the CleanBrowsing Root CA Certificate

Step 1: Why You Need the CleanBrowsing Root CA

When CleanBrowsing blocks an HTTPS website, it serves a block page in place of the requested site. The block page certificate is signed by the CleanBrowsing Root Certificate Authority. Without installing this CA certificate, your browser will display SSL/TLS security warnings such as:

• Chrome: "Your connection is not private" (NET::ERR_CERT_AUTHORITY_INVALID)
• Firefox: "Warning: Potential Security Risk Ahead"
• Internet Explorer / Edge: "The security certificate presented by this website was not issued by a trusted certificate authority"
• Safari: "This Connection Is Not Private"

Installing the Root CA certificate tells your browser to trust CleanBrowsing's block page certificates, allowing the block page to display cleanly without security warnings.

Step 2: Download the Certificate

Download the CleanBrowsing Root CA certificate file from:

Download CleanBrowsing Root CA (.crt)

Direct URL: https://my.cleanbrowsing.org/download/CleanBrowsing-Filter-BlockPage-CA.crt

Save the file to a location you can easily find, such as your Downloads folder.

Step 3: Install on Windows (GUI Method)

This method works for Internet Explorer, Edge, and Chrome (which use the Windows certificate store):

1. Double-click the downloaded CleanBrowsing-Filter-BlockPage-CA.crt file
2. Click Install Certificate
3. Select Local Machine (requires administrator rights) or Current User
4. Choose "Place all certificates in the following store"
5. Click Browse and select Trusted Root Certification Authorities
6. Click Next, then Finish
7. Confirm the security warning by clicking Yes

Restart your browser for the change to take effect.

Step 4: Install on Windows (Command Line)

For scripted or automated deployments, use certutil from an elevated Command Prompt (Run as Administrator):

certutil -addstore -enterprise -f Root CleanBrowsing-Filter-BlockPage-CA.crt

This installs the certificate into the Local Machine's Trusted Root Certification Authorities store, making it available to all users on the computer.

To verify the certificate was installed:

certutil -store Root "CleanBrowsing"

Step 5: Install on macOS

GUI method:

1. Double-click the .crt file to open it in Keychain Access
2. Select the System keychain
3. Enter your administrator password
4. Find the CleanBrowsing certificate, double-click it
5. Expand Trust and set "When using this certificate" to Always Trust
6. Close the window and enter your password again to confirm

Terminal method:

# Download the certificate
wget -P ~/Downloads https://my.cleanbrowsing.org/download/CleanBrowsing-Filter-BlockPage-CA.crt

# Install to the System keychain
sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic \
  -k /Library/Keychains/System.keychain \
  ~/Downloads/CleanBrowsing-Filter-BlockPage-CA.crt

You will be prompted for your administrator password.

Step 6: Install on Linux

Debian / Ubuntu:

# Download the certificate
wget https://my.cleanbrowsing.org/download/CleanBrowsing-Filter-BlockPage-CA.crt

# Copy to the trusted certificates directory
sudo cp CleanBrowsing-Filter-BlockPage-CA.crt /usr/local/share/ca-certificates/

# Update the certificate store
sudo update-ca-certificates

Red Hat / CentOS / Fedora:

# Download the certificate
wget https://my.cleanbrowsing.org/download/CleanBrowsing-Filter-BlockPage-CA.crt

# Copy to the anchors directory
sudo cp CleanBrowsing-Filter-BlockPage-CA.crt /etc/pki/ca-trust/source/anchors/

# Update the certificate store
sudo update-ca-trust

Note: Linux system certificate stores are used by Chrome and most applications, but Firefox uses its own certificate store (see next step).

Step 7: Install in Firefox

Firefox uses its own certificate store, separate from the operating system. You must install the certificate within Firefox even if you already installed it at the OS level:

1. Open Firefox and go to Settings (or Options)
2. Search for "certificates" or navigate to Privacy & Security → Certificates
3. Click View Certificates
4. Go to the Authorities tab
5. Click Import
6. Select the CleanBrowsing-Filter-BlockPage-CA.crt file
7. Check "Trust this CA to identify websites"
8. Click OK

Restart Firefox for the change to take effect.

Step 8: Deploy via Group Policy (Enterprise)

For organizations managing multiple Windows computers, deploy the certificate via Group Policy:

1. Open Group Policy Management Console (gpmc.msc)
2. Create or edit a GPO linked to the appropriate OU
3. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies
4. Right-click Trusted Root Certification Authorities → Import
5. Select the CleanBrowsing Root CA certificate file
6. Complete the wizard

Important: Group Policy certificate deployment applies to Internet Explorer, Edge, and Chrome. Firefox requires separate configuration or enabling the security.enterprise_roots.enabled setting in Firefox to read from the Windows certificate store.