Let users request digital certificates

Applies to managed Chromebooks only.

As an administrator, you can let Chromebook users access your organization’s protected networks and internal resources that require a certificate for authentication. Remotely install and configure the Certificate Enrollment for Chrome OS extension so that your users can request user or system certificates on Chromebooks.

  • System certificate—shared across all managed users on the same device
  • User certificate—specific to a user

The extension also lets you scale your rollout of devices that run Chrome OS by automating the Active Directory certificate enrollment process through the Google Admin console.

Before you begin

To let users request digital certificates, you need:

  • Microsoft® Windows® Server 2008 R2 or later
  • Microsoft Internet Information Services (IIS) 7.0 or later
  • Active Directory Certificate Services (ADCS) including:
    • Certificate enrollment service (CES)
    • Certificate enrollment policy (CEP)
    • A valid certificate associated to the ADCS website in IIS
    • A visible endpoint for CEP and CES

Deploy the extension

Step 1: Force-install the extension for your users
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. Click App Management.
  4. On the left, in the Find or Update Apps field, enter the Certificate Enrollment for Chrome OS extension ID, fhndealchbngfhdoncgcokameljahhog.
  5. Click Search.
  6. Click the Certificate Enrollment for Chrome OS app.
  7. Click User settings.
  8. On the left, select the organization where you want to force-install the extension.
    For all users, select the top-level organization. Otherwise, select a child organization.
  9. Turn on Allow installation.
  10. Turn on Force installation.
  11. Turn on Allow access to challenge enterprise keys.
  12. Click Save.
Step 2: Set the extension's configuration

Create a file that contains the settings that you want to apply to the Certificate Enrollment for Chrome OS extension for users. Start with this sample file and change the policies to suit your organization’s or users’ needs. You can edit the JavaScript® Object Notation (JSON) file using a text editor.

Note: Policies that contain default values in user-facing strings are translated and appear on devices according to the user’s locale. You can change strings to suit your organization’s needs, but they won’t be translated.

You can set the following policies:

Policy name What it does

allow_machine_cert_enrollment

Allows users to install a system certificate.

If set to true, users can choose to request a system or user certificate. Otherwise, they can only request a user certificate.

The default is false.

cep_proxy_url

Specifies the https endpoint for the CEP.

To get the endpoint:

  1. In IIS Manager, go to the CEP website.
    The name usually contains CEP. 
  2. Open Application Settings
    The https endpoint for the CEP is listed there under URI.

Only values that start with https are valid. If you enter a value that starts with https but does not match the Uniform Resource Identifier (URI) in IIS Manager, it will still be considered to be valid and will be used, but most likely fail.

This policy is mandatory.

company_info

Specifies your organization’s branding information, such as name and logo.

  • Set help_url to direct users to a webpage where they can get information or support.
  • If the webpage that you specify is blocked for users without a certificate, such as on first request, use help_text to provide some helpful text to them.
  • If you set help_url and help_text, the webpage you specified appears below the help text on users’ devices. 

device_cert_request_values

Specifies the values to be used in the certificate signing request (CSR) for a device certificate.

Instead of using the requester’s properties, you can define subject values based on user and device attributes. To use custom CSR, you should also configure the certificate template on the CA to expect and generate a certificate with the subject values defined in the request itself. At minimum, you need to provide a value for the subject's CommonName.

You can use the following placeholders. All values are optional.

For devices running Chrome OS version 46 and later, you can use:

  • ${DEVICE_DIRECTORY_ID}—device’s directory ID
  • ${USER_EMAIL}—signed-in user’s email address
  • ${USER_DOMAIN}—signed-in user’s domain name

For devices running Chrome OS version 66 and later, you can use:

  • ${DEVICE_SERIAL_NUMBER}—device's serial number
  • ${DEVICE_ASSET_ID}—asset ID assigned to device by administrator
  • ${DEVICE_ANNOTATED_LOCATION}—location assigned to device by administrator

If a placeholder value isn’t available, it’s replaced with an empty string.

You can chain placeholders. For example, ${DEVICE_ASSET_ID:DEVICE_SERIAL_NUMBER} is replaced by the device’s serial number if the asset ID isn’t available.

device_enrollment_templates

List of matching certificate template names in order of priority for user-enrollment flows. The extension searches the list to find a matching certificate template. The first matching certificate template is used. If there’s an error, the extension doesn’t retry with other certificate templates.

This policy is mandatory. It must have at least one value in the list.

From the CA Microsoft Management Console (MMC), use the Template name and not the Template display name

The default is ChromeOSWirelessUser.

enable_auto_enrollment

Controls whether the extension automatically initiates enrollment. If set to false, the extension waits for the user to attempt to connect to the EAP-TLS network.

The default is false.

log_level

Specifies the level of detail in the extension’s logs that are sent to the javascript console in Chrome. 

NONE (default)—Nothing is logged to the console.

ERROR—Only distinct errors are logged to the console.

WARNING—Distinct errors and warnings are logged to the console.

INFO—Distinct errors and warnings along with relevant action information are logged to the console.

DEBUG—Everything is logged to the console. For the initial version, this is recommended to facilitate troubleshooting potential issues. In More Options, you can automatically copy all logs to the clipboard.

There are 2 ways that users can open the web developer console in Chrome so they can access the Chrome logs on their device:

  • Press Ctrl + Shift + i.
  • Click More tools and then Developer tools.

This policy is mandatory.

placeholder_values

Specifies the username, password, URI, request ID, and header placeholders. This information helps to guide users when they’re signing in.

  • The Username, Password, URI, and RequestID fields are displayed over the input fields to show what each input field does.
  • The Header field is used for the page’s title.
  • There are special values for the Username, Password, and Header fields that allow customers to use internationalized default names.
    • managed_username_placeholder—Username
    • managed_password_placeholder—Password
    • managed_login_header—Certificate enrollment
  • If your organization uses other terminology, such as passphrase instead of password, you can change the values. However, the new value isn’t be translated. 
renew_hours_before_expiry

Specifies the length of time, in hours, prior to certificate expiration that you want to notify users. 

The default is 120.

renew_reminder_interval

Controls how often, in hours, users are notified that their certificates will expire soon.

After the initial notification, if the user does not renew the certificate and does not choose to ignore reminders, they’ll see further notifications after the amount of hours set.

For example, if you set renew_hours_before_expiry to 120 and renew_reminder_interval to 24 and a user always chooses to receive further reminders, then the user receives 5 renewal notifications, one each day, until the certificate expires.

The default is 24.

request_timeout_seconds

The length of time, in seconds, before a call to CEP or CES times out.

The default is 20.

signature_algo

Controls what signature algorithm the extension uses to sign certificate requests. Options are:

  • SHA1(not recommended)—weak algorithm that can compromise the security of your users
  • SHA256
  • SHA512 (default)

user_enrollment_templates

List of matching certificate template names in order of priority for user-enrollment flows. The extension searches the list to find a matching certificate template. The first matching certificate template is used. If there’s an error, the extension doesn’t retry with other certificate templates. 

This policy is mandatory. It must have at least one value in the list.

From the CA MMC, use the Template name and not the Template display name.

The default is ChromeOSWirelessUser.

Step 3: Validate the JSON file
Use your preferred tool to validate your configuration file to make sure that there are no errors in the JSON code. If you find errors, check the syntax and structure of your configuration file, make corrections, and validate it again. 
Step 4: Apply the extension policy
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. Click App Management.
  4. In the Find or Update Apps field, enter the Certificate Enrollment for Chrome OS extension ID, fhndealchbngfhdoncgcokameljahhog, and click Search.
  5. Click the Certificate Enrollment for Chrome OS app.
  6. Click User settings.
  7. On the left, select the organization where you want to apply the extension policy.
    For all users, select the top-level organization. Otherwise, select a child organization.
  8. Under Configure, click Upload configuration file and upload the policy file that you created in step 2.
  9. Click Save.
Step 5: (Optional) Configure the Wi-Fi network to enroll with the extension
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. Click Networks and then Wi-Fi.
  4. Add a new EAP-TLS network.
    For details about how to add a Wi-Fi network configurations, see Manage networks.
  5. Point the network to the enrollment extension. In the Client enrollment URL field, enter chrome-extension://fhndealchbngfhdoncgcokameljahhog/html/request_certificate.html.

Note: The enrollment extension URL is accessible in the Chrome Browser even if no networks are configured to enroll at this URL. This lets you test the URL manually before you configure any networks or enroll certificates for uses other than EAP-TLS networks, such as certificate-based VPN. Tell users to go to the above indicated URL in their browser and skip the network configuration step.

Step 6: Verify policies are applied
After you deploy the Certificate Enrollment for Chrome OS extension, users need to restart their devices for the settings to take effect. You can check users’ devices to make sure the policy was applied correctly.
  1. On a managed Chrome device, go to chrome://policy.
  2. Click Reload policies.
  3. Scroll to Certificate Enrollment for Chrome OS.
  4. For each policy, make sure that the value fields are the same as what you set in the JSON file.

Disclaimer

Note regarding third-party products: This article describes how Google products work with third-party products and the configurations that Google recommends. Google does not provide technical support for configuring third-party products. Google accepts no responsibility for third-party products. Please consult the product's website for the latest configuration and support information. You may also contact Google solutions providers for consulting services.

Was this helpful?
How can we improve it?