Certificate Installation Issues

KyberGate uses a CA (Certificate Authority) certificate to inspect HTTPS traffic for content filtering. This certificate must be installed and trusted on every managed device. If the certificate is missing or not trusted, students will see browser security warnings instead of the KyberGate block page.

How KyberGate Uses Certificates

KyberGate operates as a proxy-based MITM (Man-in-the-Middle) filter. When a device connects through the KyberGate proxy:

1. The proxy intercepts HTTPS requests
2. It presents a certificate signed by the KyberGate CA
3. If the device trusts the KyberGate CA, the connection proceeds seamlessly
4. If the CA is not trusted, the browser shows a certificate error (NET::ERR_CERT_AUTHORITY_INVALID)

Verifying Certificate Installation

On iPad / iPhone

1. Go to Settings → General → About → Certificate Trust Settings
2. Look for KyberGate CA in the list
3. Ensure the toggle next to it is enabled (green)
4. Also check Settings → General → VPN & Device Management for the MDM profile containing the certificate

On macOS

1. Open Keychain Access (Applications → Utilities → Keychain Access)
2. Select the System keychain
3. Search for KyberGate
4. Double-click the KyberGate CA certificate
5. Expand Trust and verify it shows Always Trust for SSL

On Windows

1. Press Win + R, type certmgr.msc, and press Enter
2. Navigate to Trusted Root Certification Authorities → Certificates
3. Look for KyberGate CA in the list
4. If present, double-click to verify it's valid and not expired

On Chromebook

1. Go to Settings → Security and Privacy → Manage Certificates
2. Click the Authorities tab
3. Look for KyberGate CA in the list
4. Verify it shows trust for "identifying websites"

Installing the Certificate

Via MDM (Recommended)

Apple devices (iPad, iPhone, Mac) — .mobileconfig profile:

1. In your MDM (Jamf, Mosyle, Kandji, etc.), create a Certificate payload
2. Upload the KyberGate CA certificate (.cer or .pem file)
3. Set trust level to Full Trust for SSL
4. Deploy the profile to your device groups
5. For iPads: The MDM automatically enables certificate trust — no user action needed

Windows devices — GPO:

1. Open Group Policy Management on your domain controller
2. Create or edit a GPO linked to your device OU
3. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Trusted Root Certification Authorities
4. Right-click → Import → Select the KyberGate CA certificate
5. Run gpupdate /force on target machines or wait for the next policy refresh

Chromebooks — Google Admin Console:

1. Go to Google Admin Console → Devices → Chrome → Settings → Device Settings
2. Under Network → Certificates, click Upload Certificate
3. Upload the KyberGate CA .pem file
4. Select Use this certificate as an HTTPS certificate authority
5. Apply to the relevant OUs

Manual Installation (Testing Only)

1. Download the certificate from your KyberGate dashboard: Settings → Certificates → Download CA Cert
2. On the device, open the downloaded file
3. Follow the OS-specific prompts to install and trust the certificate
4. Note: Manual installation is not recommended for production — use MDM for consistent deployment

Tips

• Always use MDM — Manual certificate installation doesn't scale and is easily removed by users
• Check expiration dates — KyberGate CA certificates are valid for 10 years, but verify if you generated a custom CA
• Test after deployment — Visit https://check.kybergate.com on a managed device to confirm the certificate is working
• Re-enroll problem devices — If a single device has cert issues, remove the MDM profile and re-deploy it
• Supervised mode (iPad) — Supervised iPads accept MDM certificates silently; unsupervised iPads may require user approval

Troubleshooting

Related Articles

• Device Enrollment and PAC Configuration
• Block Page Customization
• Chrome Extension Troubleshooting