Set up TLS (or SSL) inspection on Chrome devices

2) Set up certificates

After you allowlist the host names, import your TLS or SSL certificate into the Google Admin console as a Certificate Authority (CA). Then, you deploy the certificate to your Chrome devices so they can access your production network.


  • Do this early during your deployment to ensure users can access websites without issues.
  • LDAP:// URI are not supported yet.

Set up TLS or SSL certificate as a CA

  1. Sign in to the Google Admin console.
  2. Click Device management.
  3. On the left, click Networks.
  4. Click Certificates.
  5. (Optional) On the left, choose the organizational unit where you want to add the certificate.
    Note: The top-level organization is selected by default to give all users (including those in suborganizations) access to any added certificates.
  6. Click Add Certificate.
  7. Choose the certificate file to upload and click Open.
    Note: DER-encoded certificates are not supported. Chrome devices only accept PEM format.
  8. (Optional) If the certificate will be used as a root CA for a TLS or SSL-inspecting web filter or to allow the browser to validate the full digital certificate chain of servers, under Use as a Certificate Authority for the following check the appropriate OS box.
  9. Click Save and then Done to confirm.

Deploy the certificate to Chrome devices

To deploy the certificate, use an open guest Wi-Fi network. Your Chrome devices will authenticate to Google and receive the TLS or SSL certificate. The pushed certificate will apply to all enrolled Chrome devices on the primary domain.

Tip: To drive users to switch to your filtered production network after the certificate is downloaded, you can limit the guest network by setting a session-time limit or by restricting access to the Internet. You can also redirect users to information explaining that they must change their Wi-Fi network.

Verify the CA on managed Chrome devices

  1. Go to chrome://settings/certificates.
  2. Click Authorities.
  3. Scroll down to see the newly-added CAs.

CAs set up in your Admin console are highlighted as follows:

Certificate manager

Was this helpful?
How can we improve it?