Set up TLS (or SSL) inspection on Chrome devices

3) Verify TLS (or SSL) inspection works

Before you begin

  • Users need to sign in with an account in the domain that the device is enrolled in. For example, if the device is enrolled in the school.edu domain, the user needs to sign in with an account that uses the domain, such as user@school.edu.
  • If you have secondary G Suite domain that is managed under a primary domain and the user account is in the secondary domain, you need to enroll the device in the secondary domain. The device’s enrollment domain and signed-in user’s domain must match for the pushed certificate to work.

Verify TLS (or SSL) inspection is working

  1. Sign in to a Chrome device with a user account in the domain where the certificate was applied.
  2. Go to a site where TLS inspection is applied by your web filter.
  3. Verify the building icon is in the address bar. Click it to see details about permissions and the connection.

    SSL inspection test

  4. (Optional) To see details about the certificate, click Certificate information.

    Certificate viewer

TLS inspection isn't working

If TLS inspection isn't working, check if any certificates were manually installed on the device. Manually installed certificates might conflict with certificates that are deployed from your Admin console. Contact your web filter provider for advice on an alternative setup.

Verify hostname whitelist is working

1) Boot up and sign in to your Chromebook or login as guest.

2) Use the keyboard shortcut Ctrl + Alt + T to open the Crosh terminal in your browser.

3) Type:

network_diag --hosts

or, if you use a HTTP proxy:

network_diag --hosts --proxy http://192.168.1.1:8888

where http://192.168.1.1:8888 is the hostname and port of your HTTP proxy.

4) The command will attempt a TLS connection to each of the hosts in the whitelist and report PASS / FAIL. If all hosts are not passing, check your firewall / proxy to confirm the host is properly whitelisted.

Sample command and output:

crosh> network_diag --hosts

checking accounts.google.com... PASS

checking accounts.gstatic.com... PASS

checking accounts.youtube.com... PASS

Was this helpful?
How can we improve it?