Skip to main content

Manual Installation of PAC URL and Root CA on Windows (Testing Only)

Quick manual installation of proxy PAC URL and root CA on Windows for testing/POC. Production deployments should use MDM (Intune, AD Group Policy, Rippling).

Updated over a month ago

Prerequisites

Before beginning, gather these items from the SurePath AI admin console at https://admin.surepath.ai:

Get the PAC URL:

  • Navigate to Connectors in the CONFIGURE section

  • Click ADD CONNECTOR

  • Provide a descriptive name (e.g., "Manual Test - Windows")

  • Select Proxy as the connector type

  • Click Save to generate your unique PAC file URL

  • Copy the PAC file URL from the connector details

Get the root CA certificate:

  • Click Organization in the CONFIGURE section

  • Select the Integration tab

  • Download the SurePath AI Root CA Certificate from the File Downloads section (use the CER format)

Step 1: Install the root CA certificate

The root CA certificate allows SurePath AI to intercept and apply policy to GenAI traffic.

  • Locate the downloaded certificate file (.cer extension)

  • Right-click the certificate file and select Install Certificate

  • In the Certificate Import Wizard, select Local Machine and click Next

  • Click Yes when prompted by User Account Control

  • Select Place all certificates in the following store

  • Click Browse

  • Select Trusted Root Certification Authorities and click OK

  • Click Next

  • Click Finish

  • Click OK when you see "The import was successful"

Step 2: Configure the PAC URL

The PAC URL tells Windows which traffic to route through SurePath AI (only GenAI services).

Using Windows Settings (Windows 10 and 11):

  • Open Settings (press Windows key + I)

  • Click Network & internet

  • Click Proxy

  • Scroll down to Automatic proxy setup

  • Toggle Use setup script to On

  • In the Script address field, paste the SurePath AI Proxy PAC URL from the prerequisites

  • Click Save

Step 3: Verify the integration

SurePath AI provides a verification tool to confirm proper configuration.

  • Open a web browser (Chrome, Edge, or Safari)

  • Navigate to https://ready.surepath.ai

  • The page will automatically run tests

  • Verify both tests show green Valid results:

    • Certificate Trust: Confirms the root CA is properly trusted

    • Network Configuration: Confirms traffic is routing through SurePath AI

Important notes

  • This manual configuration is intended for testing only

  • For production deployments, use MDM platforms such as Microsoft Intune or Active Directory Group Policy to distribute configuration at scale

  • The PAC file automatically updates to include new GenAI services, so the URL does not need to change

  • Most operating systems and browsers refresh the PAC file every 1-2 hours

  • Only GenAI traffic is routed through SurePath AI; all other traffic follows normal routing

  • Restart your browser after configuration to ensure settings take effect

Removing the configuration

To remove the test configuration:

Remove PAC URL:

  • Open Settings > Network & internet > Proxy

  • Toggle Use setup script to Off

  • Click Save

Remove root CA certificate:

  • Press Windows key + R and type certmgr.msc

  • Navigate to Trusted Root Certification Authorities > Certificates

  • Locate "SurePath AI Root CA"

  • Right-click the certificate and select Delete

  • Click Yes to confirm

Related Articles
Rippling - Distributing Configuration for MacOS
Rippling - Distributing Configuration for Windows
Microsoft Intune - Distributing configuration for macOS
SurePath AI Traffic Flows
Manual Installation of PAC URL and Root CA on macOS (Testing Only)
Did this answer your question?