After you allowlist the host names, import your TLS or SSL certificate into the Google Admin console as a Certificate Authority (CA). Then, you deploy the certificate to your Chrome devices so they can access your production network.
Notes:
- Do this early during your deployment to ensure users can access websites without issues.
- LDAP:// URI are not supported yet.
- You can add up to 50 certificates in each organizational unit.
Set up TLS or SSL certificate as a CA
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Devices. On the left, click Networks.
Requires having the Shared device settings administrator privilege.
- Go to Certificates.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Click Create certificate.
- Enter a name for the certificate
- Click Upload, select the PEM file, and click Open.
Note: DER-encoded certificates are not supported. - Select the platforms that the certificate is a CA for.
- Click Add.
Deploy the certificate to Chrome devices
To deploy the certificate, use an open guest Wi-Fi network. Your Chrome devices will authenticate to Google and receive the TLS or SSL certificate. The pushed certificate will apply to all enrolled Chrome devices on the primary domain.
Tip: To drive users to switch to your filtered production network after the certificate is downloaded, you can limit the guest network by setting a session-time limit or by restricting access to the Internet. You can also redirect users to information explaining that they must change their Wi-Fi network.
Verify the CA on managed Chrome devices
- Go to chrome://settings/certificates.
- Click Authorities.
- Scroll down to see the newly-added CAs.