Manage client certificates on Chrome devices

Chromebook icon updated Dec 2013

Some networks and internal web resources require users to authenticate themselves using a digital certificate. Client certificates allow users on Chrome devices to access these types of networks and resources.

To enhance the security of networks and internal resources, organizations authenticate users on employee and student devices using client-side digital certificates. For example, EAP-TLS (802.1x) authentication to allow access to LANs and mutual TLS/SSL authentication to allow access to internal web resources.

There are several steps in putting a client certificate on a device, including:

  • Generating a key pair securely on the device.
  • Sending the public key as well as other identifying and authenticating information to a certificate authority (CA) to obtain a certificate.
  • Importing the certificate to the device

Different CAs support different enrollment protocols, (like SCEP and EST), and organizations have specific workflows, checks, and rules that have to be checked before granting a certificate.

Manage and provision client certificates

Manage client certificates on Chrome devices

Starting with Chrome version 37, partners such as CAs, infrastructure management vendors, and customers can write an extension using the chrome.enterprise.platformKeys API to provision client certificates on Chrome devices. By using an extension, a wide variety of CAs, enrollment protocols, and any form of web-based workflow can be supported. Customers using Windows Active Directory Certificate services can use Google's Enterprise Enrollment tool to request and install certificates for Chrome devices (for more information, see Deploy the Certificate Enrollment for Chrome OS extension). Using extensions is a flexible way to provision client certificates. It ensures that the private key never leaves the device and is backed by the Chrome Trusted Platform Module (TPM).

When the chrome.enterprise.platformKeys API user Token is used (id equals "user"), client certificates obtained using extensions are unique to a user/device combination. For example, a second user on the same device has a different certificate. When the user logs in to another device, a different certificate is issued by the CA. Because client certificates are backed by the TPM, the certificate can't be stolen and installed on another device or be hijacked by another user. When you remove a user from a device, the certificate is removed as well.

These certificates can also be used by extensions such as VPN clients via the chrome.platformKeys API. Access to the certificates is granted in different ways depending on whether an account is managed or not. For more information, see Access model for extensions and client certificates.

Provision client certificates using an extension

To provision client certificates using an extension:

  1. Verify that you have Chrome licenses.

    Your Admin console makes it easy to deploy and control users, devices, and apps across all Chrome devices in your organization.

  2. Obtain an onboarding extension using the chrome.enterprise.platformKeys API that implements your onboarding workflow and integrates with your certificate authority.

    Go to the Chrome Web Store to find an extension for the CA you use. If an extension doesn’t already exist for the CA, you can build one yourself or hire a consultant or vendor to build one for you. For more information, see the Developer Guide.

  3. Force-install the extension for your users. The chrome.enterprise.platformKeys API is only available to extensions that are force-installed by policy.
  4. Verify that the network is configured so users in the guest or onboarding network can connect to it, and so the guest or onboarding network can communicate with the CA.

    In most cases, a guest or onboarding network does not have privileged access, so it can be used only to browse the extranet and to reach the CA for certificate onboarding. The certificate onboarding process can be initiated using this network. You can pre-configure the guest or onboarding network on all the Chrome devices that you manage. For more information, see Manage networks.

  5. Verify that each Chrome device is enrolled in the domain.

    Only users in the domain where the device is enrolled can use the device certificate.

User and device certificates

As an administrator, you can configure the enrollment flow for user and device certificates.

User certificates are bound to a managed user’s session. They can be used for user-level authentication to websites, networks, and third-party applications.

Device certificates are bound to a managed device. They’re exposed in multiple places, such as:

  • Affiliated user sessions for users who are managed by the same domain as the device.
  • Chrome OS sign-in screen, where the certificates are surfaced to networks and as part of the third-party SAML sign-in flow.
    Note: Device certificates are only surfaced in third-party SAML sign-in flow if you configured the Single Sign-On Client Certificates policy.
  • Devices in public session and kiosk mode, where the certificates are surfaced to websites, networks and third-party apps.

For information about how to configure an extension for user and device certificates, see the extension’s certificate enrollment documentation. For example, you can install a device-wide certificate for the Certificate Enrollment for Chrome OS extension. For instructions, see Deploy the Certificate Enrollment for Chrome OS Extension.

Example user experience

From a guest or onboarding network, the user attempts to connect to the EAP-TLS (802.1x) network for the first time. At this point the extension that you force-installed guides the user through a set of steps (including authentication) before installing the certificate issued by the CA. When the certificate is installed, the user can select the EAP-TLS (802.1x) network and successfully connect.

When an internal web page requires mutual TLS/SSL authentication, the internal web resource displays a message to the user that a certificate is required. At this point, the user can launch the extension that you force-installed, go through a similar set of steps as described for connecting to an EAP-TLS network, and refresh the browser to access the internal web page.

Access model for extensions and client certificates

The chrome.platformKeys API allows extensions and apps, such as VPN, to access client certificates managed by the platform. The permission model governing their use depends on whether the user account is managed or unmanaged. The following applies regardless of whether the device is enrolled or not.

Unmanaged account

When the user logs in with an unmanaged account, such as their personal account, they own and are under full control of the certificates that have been manually imported onto the device. In this scenario, the user can grant a specific extension the permission to use chrome.platformKeys to access a particular certificate. There are no further restrictions.

Managed account

When the user logs in with a managed account, such as their work account, the administrator is in charge of granting access to certificates that are meant for corporate usage. The administrator does that by specifying extensions that are allowed to use corporate certificates.

To specify extensions that can use client certificates:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Devicesand thenChrome management.

    If you don't see Devices on the Home page, click More controls at the bottom.

  3. Click Apps & extensions.
  4. On the left, select the organizational unit where you want to configure settings.
    For all users, select the top-level organization. Otherwise, select a child organization. Initially, an organizational unit inherits the settings of its parent.
  5. At the top, click the type of app or extension you want to configure.

  6. Find and click the app you want to manage.

  7. In the panel on the right, under Certificate management, turn on Allow access to keys.
    Note: If you don’t see the setting, the app you selected does not support certificate management.

  8. Click Save.

The user isn't asked to grant permission to access certificates, and only certificates that have been imported via the chrome.enterprise.platformKeys API qualify for corporate usage. An extension can still ask the user to select a certificate if the extension has access to multiple certificates. Any certificate that is generated or imported by other means, such as manually, is not available for the API in the case of a managed account.

Was this helpful?
How can we improve it?