After you allowlist the host names, import your TLS or SSL certificate into the Google Admin console as a Certificate Authority (CA). Then, you deploy the certificate to your Chrome devices so they can access your production network.
- Do this early during your deployment to ensure users can access websites without issues.
- LDAP:// URI are not supported yet.
Set up TLS or SSL certificate as a CA
- Sign in to the Google Admin console.
- Click Device management.
- On the left, click Networks.
- Click Certificates.
- (Optional) On the left, choose the organizational unit where you want to add the certificate.
Note: The top-level organization is selected by default to give all users (including those in suborganizations) access to any added certificates.
- Click Add Certificate.
- Choose the certificate file to upload and click Open.
Note: DER-encoded certificates are not supported. Chrome devices only accept PEM format.
- (Optional) If the certificate will be used as a root CA for a TLS or SSL-inspecting web filter or to allow the browser to validate the full digital certificate chain of servers, under Use as a Certificate Authority for the following check the appropriate OS box.
- Click Save and then Done to confirm.
Deploy the certificate to Chrome devices
To deploy the certificate, use an open guest Wi-Fi network. Your Chrome devices will authenticate to Google and receive the TLS or SSL certificate. The pushed certificate will apply to all enrolled Chrome devices on the primary domain.
Tip: To drive users to switch to your filtered production network after the certificate is downloaded, you can limit the guest network by setting a session-time limit or by restricting access to the Internet. You can also redirect users to information explaining that they must change their Wi-Fi network.
Verify the CA on managed Chrome devices
- Go to chrome://settings/certificates.
- Click Authorities.
- Scroll down to see the newly-added CAs.
CAs set up in your Admin console are highlighted as follows: