Skip to main content

Manual Installation of PAC URL and Root CA on Windows (Testing Only)

This guide provides quick steps for manually installing the SurePath AI PAC URL and root CA certificate on a Windows device. For production deployments, organizations should use MDM platforms like Intune, Active Directory Group Policy, or Rippling.

Updated over 3 months ago

Prerequisites

Before beginning, gather these items from the SurePath AI admin console at https://admin.surepath.ai:

Get the PAC URL:

  • Navigate to Connectors in the CONFIGURE section

  • Click ADD CONNECTOR

  • Provide a descriptive name (e.g., "Manual Test - Windows")

  • Select Proxy as the connector type

  • Click Save to generate your unique PAC file URL

  • Copy the PAC file URL from the connector details

Get the root CA certificate:

  • Click Organization in the CONFIGURE section

  • Select the Integration tab

  • Download the SurePath AI Root CA Certificate from the File Downloads section (use the CER format)

Step 1: Install the root CA certificate

The root CA certificate allows SurePath AI to intercept and apply policy to GenAI traffic.

  • Locate the downloaded certificate file (.cer extension)

  • Right-click the certificate file and select Install Certificate

  • In the Certificate Import Wizard, select Local Machine and click Next

  • Click Yes when prompted by User Account Control

  • Select Place all certificates in the following store

  • Click Browse

  • Select Trusted Root Certification Authorities and click OK

  • Click Next

  • Click Finish

  • Click OK when you see "The import was successful"

Step 2: Configure the PAC URL

The PAC URL tells Windows which traffic to route through SurePath AI (only GenAI services).

Using Windows Settings (Windows 10 and 11):

  • Open Settings (press Windows key + I)

  • Click Network & internet

  • Click Proxy

  • Scroll down to Automatic proxy setup

  • Toggle Use setup script to On

  • In the Script address field, paste the SurePath AI Proxy PAC URL from the prerequisites

  • Click Save

Step 3: Verify the integration

SurePath AI provides a verification tool to confirm proper configuration.

  • Open a web browser (Chrome, Edge, or Safari)

  • Navigate to https://ready.surepath.ai

  • The page will automatically run tests

  • Verify both tests show green Valid results:

    • Certificate Trust: Confirms the root CA is properly trusted

    • Network Configuration: Confirms traffic is routing through SurePath AI

Important notes

  • This manual configuration is intended for testing only

  • For production deployments, use MDM platforms or Group Policy to distribute configuration at scale

  • The PAC file automatically updates to include new GenAI services, so the URL does not need to change

  • Most operating systems and browsers refresh the PAC file every 1-2 hours

  • Only GenAI traffic is routed through SurePath AI; all other traffic follows normal routing

  • Restart your browser after configuration to ensure settings take effect

Removing the configuration

To remove the test configuration:

Remove PAC URL:

  • Open Settings > Network & internet > Proxy

  • Toggle Use setup script to Off

  • Click Save

Remove root CA certificate:

  • Press Windows key + R and type certmgr.msc

  • Navigate to Trusted Root Certification Authorities > Certificates

  • Locate "SurePath AI Root CA"

  • Right-click the certificate and select Delete

  • Click Yes to confirm

Related Articles
Active Directory - Distributing Configuration for Windows
Google Workspace - Distributing Configuration to Chrome and ChromeOS
Rippling - Distributing Configuration for MacOS
Rippling - Distributing Configuration for Windows
Manual Installation of PAC URL and Root CA on macOS (Testing Only)
Did this answer your question?