Configure Chrome browser to provision its own client certificate

Client certificates can be used by Chrome browser to establish trust with a remote server by giving proof about its identity, or the device's identity, via a mutual TLS connection. In addition, Chrome can provision client certificates for managed Chrome profiles, where the certificate is stored in the profile's data, ensuring that only Chrome can access it. Admins who use Microsoft Conditional Access can use these certificates as a signal that they are receiving a request from a managed Chrome profile to manage access to corporate resources.

Requirements

  • Enrollment and access to Chrome Enterprise Core with managed users or profile based management.
  • An access vendor that supports writing access policies against certs emitted by custom root certificate authorities (CAs).

Step 1: Provision a Google CA

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Chrome browser > Connectors.

    Requires having the Chrome administrator privilege.

  3. (Optional) If you’re configuring Chrome browser connector for the first time, follow the prompts to turn on Connectors.
  4. At the top, click + New provider configuration.
  5. In the panel that appears on the right, find Google Certificate Authority.
  6. Click Set up.
  7. In the side-dialog that opens, click Provision.

Configurations are added for your entire organization. Then, you can use them in any organizational unit, as needed.

  1. From the Admin console Home page, go to Chrome Browserand thenConnectors.
  2. Select a child organizational unit.
  3. For Certificate connectors, select the Google Certificate Authority configuration that you want to use.
  4. Click Save.

Step 2: Configure the Client certificates setting

Now that managed profiles have client certificates, you need to specify when to use them.
In your Google Admin console:
  1. Go to Menu and then Chrome browser > Settings. The User & browser settings page opens by default.

    Requires having the Mobile Device Management administrator privilege.

  2. To apply the setting to all enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  3. Go to Content.
  4. Find and click Client certificates.
  5. In the text box, enter these two lines:
    • {"pattern": "https://[*.]mcas.ms", "filter": {"ISSUER":{"CN":"Chrome Enterprise CA"}}}
    • {"pattern": "https://[*.]device.login.microsoftonline.com", "filter": {}}
  6. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit (or Unset for a group).

Step 3: Set up Microsoft portals

Any access solution that supports client certificates can be integrated with Chrome's client certificates. Check with your access vendor to see if they support writing access policies against certificates emitted by custom root CAs.
This example shows how to integrate with Microsoft Conditional access and Microsoft Defender for Cloud Apps. The admin creates a link to their Microsoft environment with the Google CA, so it can recognize client certificates that are presented by Chrome profiles.
In your Google Admin console:
  1. Go to Menu and then Chrome browser > Connectors.

    Requires having the Chrome administrator privilege.

  2. Find the Google Certificate Authority configuration that you want to use.
  3. On the right, click Details.
  4. Download the Trust Anchors file, GoogleCertificateAuthority.pem.

In your Microsoft Defender portal:

  1. Sign in to the Microsoft Defender portal at security.microsoft.com.
  2. Go to Settingsand thenCloud appsand thenDevice Identification.
  3. Click + Add a root certificate.
  4. Enter the name, GCA. Description is optional.
  5. Select the PEM file, GoogleCertificateAuthority.pem, that you downloaded.
  6. Click Add.
  7. Click Save.

Step 4: Create a Microsoft Defender policy

Create a Microsoft Defender Access policy, to later be used in a Microsoft Entra Conditional Access policy.
This example shows the steps to provide protection to Microsoft 365 applications.
  1. Sign in to the Microsoft Defender portal at security.microsoft.com.
  2. Go to Cloud appsand thenPoliciesand thenPolicy management.
  3. Click Create policyand thenAccess policy.
  4. Enter details:
    1. Policy name—GCA policy
    2. Activities matching all of the following:
      1. Deviceand thenTagand thendoes not equaland thenValid client certificate
      2. Appand thenmanual onboardingand thenequalsand thenMicrosoft 365
      3. Client appand thenequalsand thenBrowser
    3. Actions—Block
  5. Click Create.

Step 5: Microsoft Entra Conditional Access Policy

Configure a Microsoft Entra Conditional Access policy, so that you can associate users and groups for which you plan to enforce the Microsoft Defender access policies that you just created.

  1. Sign in to the Microsoft Azure portal, portal.azure.com.
  2. Click the Microsoft Entra Conditional Access icon.
  3. Click Create new policy.
  4. Enter the policy name, such as Defender Access Policies.
  5. Select the users or groups you want to enforce this policy for.
  6. Configure Target resources to include All cloud apps.
  7. Configure Access controlsand thenSession section:
    1. Check the Use Conditional Access App Control box
    2. Leave Use custom policy… as-is.
    3. Click Select
  8. Set Enable policy to On.
  9. Click Create.

Step 6: Verify policies have been applied

After you apply any Chrome policies, you can check users’ devices to make sure the policy was applied correctly.

  1. In the managed profile where you set the policies, browse to chrome://policy.
  2. Click Reload policies.
  3. Check the Show policies with no value set box.
  4. For the policies you set, make sure Status is set to OK.
  5. For each policy, click Show value and make sure that the value fields are the same as what you set in the policy.
    1. ProvisionManagedClientCertificateForUser is set to 1.
    2. AutoSelectCertificateForUrls contains the text that you specified for the Client certificates setting.
      • {"pattern": "https://[*.]mcas.ms", "filter": {"ISSUER":{"CN":"Chrome Enterprise CA"}}}
  6. (Optional) Verify that the profile has a Google Certificate Authority client certificate.
    Check chrome://connectors-internals/#managed-client-certificate.

Troubleshoot

Issue

If the AutoSelectCertificateForUrls policy is missing the value and has Conflict status, you might be signed into an unaffiliated profile. This can happen if:

  1. The browser is enrolled in Chrome Enterprise Core with a different organization.
  2. Platform policies are set but the browser is not enrolled with Chrome Enterprise Core.

Fix

  • Fully un-enroll the device.
  • Enroll the browser with Chrome Enterprise Core in your organization.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
true
Search
Clear search
Close search
Google apps
Main menu
3496549901394782448
true
Search Help Center
false
true
true
true
true
true
410864
false
false
false
false