Set up TLS (or SSL) inspection on Chrome devices

Set up certificates

After you allowlist the host names, import your TLS or SSL certificate into the Google Admin console as a Certificate Authority (CA). Then, you deploy the certificate to your ChromeOS devices so they can access your production network.

Notes:

  • Do this early during your deployment to ensure users can access websites without issues.
  • LDAP:// URI are not supported yet.
  • You can add up to 50 certificates in each organizational unit.

Set up TLS or SSL certificate as a CA

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenNetworks.
  3. Go to Certificates.
  4. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Click Create certificate.
  6. For Certificate, enter a name for the certificate.
  7. Click Upload.
  8. Select the PEM, CRT, or CER file.
    Note: Only one certificate can be included in the file. The file will be rejected if it contains no certificate or more than one certificate. DER-encoded certificates are not supported. 
  9. Click Open.
  10. For Certificate Authority, select the platforms that the certificate is a CA for.
  11. Click Add.

Deploy the certificate to ChromeOS devices

To deploy the certificate, use an open guest Wi-Fi network. Your ChromeOS devices will authenticate to Google and receive the TLS or SSL certificate. The pushed certificate will apply to all enrolled ChromeOS devices on the primary domain.

Tip: To drive users to switch to your filtered production network after the certificate is downloaded, you can limit the guest network by setting a session-time limit or by restricting access to the Internet. You can also redirect users to information explaining that they must change their Wi-Fi network.

Verify the CA on managed ChromeOS devices

  1. Go to chrome://settings.
  2. On the left, click Privacy and security.
  3. Click Security.
  4. Scroll to Advanced.
  5. Click Manage certificates.
  6. In the list, find the newly-added CAs.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu