You can verify the installation of the Certificate with this command:

Get-ChildItem Cert:\LocalMachine\Root |
  Where-Object Thumbprint -eq "6AC54D30EE60A4A95D709D805D7A0DA12ED6E03D" |

If you need to remove the Root Certificate, deploy the following script:

# Copyright (c) 2025 Password Boss
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#    * Redistributions of source code must retain the above copyright
#      notice, this list of conditions and the following disclaimer.
#    * Redistributions in binary form must reproduce the above copyright
#      notice, this list of conditions and the following disclaimer in the
#      documentation and/or other materials provided with the distribution.
#    * Neither the name of the AutoElevate nor the names of its contributors
#      may be used to endorse or promote products derived from this software
#      without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL OPENDNS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
# OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

<#
Removes the Root Certificate for CyberFOX DNS Filtering. REQUIRES ADMIN RIGHTS TO DEPLOY 
 #>
 
$thumb = "6AC54D30EE60A4A95D709D805D7A0DA12ED6E03D".ToUpper()
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root","LocalMachine")
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$cert = $store.Certificates | Where-Object { $_.Thumbprint.ToUpper() -eq $thumb }
if ($cert) { $store.Remove($cert); "Removed: $($cert.Subject) [$thumb]" } else { "Not found" }
$store.Close()

Create the Trusted certificate and deploy using Intune.

1. Admin Center: https://intune.microsoft.com
2. Devices → Windows → Configuration profiles → Create profile
3. Platform: Windows 10 and later
   1. Profile type: Templates → Trusted certificate
4. Basics
   1. Name: Trusted Root CA – CyberFOX DNS
   2. Description: Deploy CyberFOX DNS Root CA (thumbprint 6AC5...E03D) to Computer\Root
5. Configuration settings
   1. Trusted certificate: Upload the rootCA.cer certificate
   2. Destination store: Computer certificate store – Root
6. Scope tags (optional): apply your RBAC tags.
7. Assignments
   1. Include: your Windows device groups (e.g., All Windows Devices).
   2. Exclude: any groups that should not receive the CA.
8. Review + Create

Troubleshooting Common Issues

❌ Browser Warning: “Your connection is not private”

• Cause: The certificate may not be installed in the correct store.
• Fix: Reinstall the certificate and ensure it’s placed in the Trusted Root Certification Authorities store (Windows) or System keychain (macOS).

❌ Certificate Not Trusted

• Cause: The certificate may not be marked as trusted.
• Fix: On macOS, open Keychain Access, double-click the certificate, and set Always Trust under the “Trust” section.

❌ Block Page Not Displaying

• Cause: The certificate is missing or improperly installed.
• Fix: Confirm the certificate is installed and trusted. Also, ensure that CyberFOX DNS Filtering is configured to display blocked pages.

❌ Still Seeing the .pem Extension

• Cause: File extensions may be hidden by default.
• Fix: Ensure the file is renamed to CyberFOXrootCA.cer and not CyberFOXrootCA.cer.pem.