You can do this on each computer. If you pick "System" it will apply to all users. If you pick "User" it will only apply to the current user. Download the CA crt and install it (right click -> install). Choose Trusted Root Certificate Authorities.
After that, close and re-open your browser and navigating to an OPE site should come up without error.
Download the CA crt and import it into your group policy settings. Default group policy is a good one.
GPO Path - Computer Policies --> Windows Settings --> Security Settings --> Public Key Policies --> Trusted Root Certificate Authorities
On client machines, you may need to run gpupdate /force or reboot for changes to take effect right away.