Use the Certificate Enrollment for ChromeOS extension

To automatically enroll a pre-configured certificate, the user must:

1. Click the Enroll Certificate notification.
2. (Optional) Select the Enroll Device-Wide Certificate box to request a device certificate. If the box is left unchecked, a user certificate is requested.
3. Click Enroll.

To renew a certificate, the user must only click on the Certificate Renewal Reminder notification.

User certificate requests are requests that should result in a certificate being issued for the specific user sending the request, not the overall device. User certificates are only valid for the user logged into that machine, not any other users who may also use the machine.

1. Click or tab navigate to the Username field.
2. Enter your username.
3. Click or tab navigate to the Password field.
4. Enter your password.
5. Leave the Device-Wide box unchecked.

Device certificate requests are requests that should result in a certificate being issued for the overall device sending the request, not just the user sending the request. Device certificates are valid for all users belonging to the same organization on the machine, which is typically necessary for devices being used in Public Session or kiosk mode.

1. Click or tab navigate to the Username field.
2. Enter your username.
3. Click or tab navigate to the Password field.
4. Enter your password.
5. Check the Device-Wide box.

Regardless of the type of request being sent (user or device), the process to send one is the same.

1. Create either a user or device certificate request, as specified in the steps above.
2. Navigate to the Enroll button.
3. Click Enroll.

Once a request is sent, the ideal outcome is a success response from the server which will include the certificate requested.

1. Send a Certificate Request, as specified above.
2. Wait for the response to be received.
3. When a response is received, a dialog will display with a success message to signify that the certificate was received and imported.
4. Select Okay in the dialog, hit the escape key, or click outside of the dialog to close it when done.

Once a request is sent, sometimes the request can fail for a variety of reasons. An error response encapsulates these failures and will inform the user of what the problem is.

1. Send a Certificate Request, as specified above.
2. Wait for the response to be received.
3. When a response is received, a dialog will display with a failure message to signify that something went wrong.
4. Select Okay in the dialog, hit the escape key, or click outside of the dialog to close it when done.
5. If the error is correctable (such as invalid username), then performing the correction and resending the request should result in success. If not (such as when the request is denied access by the server), then the user should seek help.

Once a request is sent, sometimes the server can set that request to pending in order for someone to manually review and approve/reject the request later. A pending response encapsulates this flow and will inform the user of the relevant information to check on the status of the request later.

1. Send a Certificate Request, as specified above.
2. Wait for the response to be received.
3. When a response is received, a dialog will display with a pending message to signify that the request was set to pending. It will also display the enrollment URI and request ID of the request, which are necessary to check on it later.
4. Copy the enrollment URI and request ID somewhere to refer to later.
5. Select Okay in the dialog, hit the escape key, or click outside of the dialog to close it when done.

If a user has a pending certificate, then the user may want to check on the certificate’s status at some point. In order to create and send pending certificate requests, the user must navigate to the pending request UI.

1. Click or tab navigate and select the More Options button.
2. From the list of options generated, click or tab navigate to the ‘Show extra fields for checking on pending requests?’ option.
3. Select ‘Show extra fields for checking on pending requests?’ to enable the pending request fields to display.

If a user has previously navigated to the pending request UI, then the user may want to navigate back to the regular at some point.

1. Click or tab navigate and select the More Options button.
2. From the list of options generated, click or tab navigate to the Hide extra fields for checking on pending requests?’ option.
3. Select Hide extra fields for checking on pending requests?’ to disable the pending request fields from displaying.

If a user has a pending certificate, then the user may want to check on the certificate’s status at some point. The extension allows this flow very similarly to creating a brand new request.

1. Navigate to Pending Request UI, as specified above.
2. Click or tab navigate to the Username field.
3. Enter your username.
4. Click or tab navigate to the Password field.
5. Enter your password.
6. Click or tab navigate to the Enrollment URI field.
7. Enter the enrollment URI displayed in a previous pending certificate response.
8. Click or tab navigate to the Request ID field.
9. Enter the request ID displayed in a previous pending certificate response.
10. If the original certificate request was for a device-wide certificate, then check the Device-Wide checkbox. Otherwise, leave the Device-Wide checkbox unchecked.

Once a pending certificate checkup request has been created, the user needs to send that request in order to get a response. A pending certificate checkup request can result in a success, failure, or still pending response, which matches the flows already defined above.

1. Create a Pending Certificate Checkup Request, as specified above.
2. Navigate to the Check Status button.
3. Select the Check Status button.

Sometimes in cases of errors, it may be helpful for an assistant or administrator to see the full logs of what happened in the extension. In order for a user to obtain these logs, we provide a simple method to copy them to the user’s clipboard.

1. Click or tab navigate and select the More Options button.
2. From the list of options generated, click or tab navigate to the ‘Copy Logs to Clipboard’ option.
3. Select ‘Copy Logs to Clipboard’ to have the logs copied to the user’s clipboard.
4. From here, the user can paste these logs anywhere the user chooses through the normal process for the user’s device.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Devices > Chrome > Apps & extensions > Users & browsers.

   If you signed up for Chrome Browser Cloud Management, go to Menu  Chrome browser > Apps & extensions > Users & browsers.

3. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
4. Point to Add Add from Chrome Web Store.
5. Search for and select Certificate Enrollment for ChromeOS. The extension ID is fhndealchbngfhdoncgcokameljahhog.
6. On the Users & Browsers page, select the Certificate Enrollment for ChromeOS extension.
7. In the panel on the right, under Certificate management, turn on Allow access to keys.
8. Under Installation policy, choose Force install or Force install + pin to ChromeOS taskbar.
9. Click Save.

Create a file that contains the settings that you want to apply to the Certificate Enrollment for ChromeOS extension for users. Start with this sample file and change the policies to suit your organization’s or users’ needs. You can edit the JavaScript Object Notation (JSON) file using a text editor.

Note: Policies that contain default values in user-facing strings are translated and appear on devices according to the user’s locale. You can change strings to suit your organization’s needs, but they won’t be translated.

You can set the following policies:

Configure certificate provisioning with or without user-entered credentials

By default, the certificate enrollment extension is set up to let users manually provision a certificate by providing their credentials when trying to get a certificate.

You can ensure users can automatically provision or renew a certificate without having to manually enter their credentials by using the ChromeOS extension. The extension can request both user and device certificates using Kerberos authentication if a user Kerberos ticket is available on the device. It can also request device certificates only using a service account.

Kerberos authentication

Before you begin

• The ChromeOS user must have a Kerberos ticket on the device.
  • Kerberos credential manager must be configured by policy to allow a Kerberos ticket to be fetched for the signed-in user. Preferably, this is configured to happen automatically at sign-in. See Configure Kerberos single sign-on for ChromeOS devices.
• The Active Directory user account associated with the Kerberos ticket must have permission to request certificates using the configured Certificate Template.
• The enrollment endpoint must be listed in the Integrated authentication servers ChromeOS policy. For details see the policy in the Chrome Policy list.
  • Set the Integrated authentication servers setting correctly in the Admin console. For details, see Integrated authentication servers.

Configure the extension

Set the extension policy value `client_authentication` to `kerberos`.

Hosted service account authentication

You can set the extension to request a device certificate using a service account. The credentials for the service account are hosted on a web server on your local network.

Warning: If an attacker gains access to the web server hosting the credentials and the extension policy on the device, there is the possibility that they can extract the service account credentials.

We recommend restricting access to the web server that hosts the service account credentials to a provisioning network that is only used for initial ChromeOS device provisioning.

Before you begin

• You must have a web server on the local network that can handle HTTPS requests.
• ChromeOS must trust the certificate of that web server. If the web server uses a certificate issued by a self-signed CA, you can configure the CA’s certificate to be trusted in the Admin console.

Step1: Generate the masked password

1. Open the extension.
2. Select MorePassword Mask Tool.
3. Enter the service account password.
4. Select Mask.
5. Copy the mask and the masked password into a text file.

Step 2: Store credentials on the internal web server

1. Configure the web server to serve a JSON file that contains the following:

{

  ‘username’: ‘<service account username>’,

  ‘maskedPassword’: ‘<copy and pasted masked password>’

}

2. Copy the URL that the web server is using to host the credentials into a text file.

Step 3: Configure the extension policy

1. Set the extension policy variable ‘service_account_host’ to the URL you copied above.
2. Set the extension policy variable ‘service_account_host_password_mask’ to the mask you copied above.

Automated certificate renewal

You can set the extension to renew existing certificates without additional authentication using key-based renewal.

Before you begin

An ADCS Certificate Enrollment Service (CES) endpoint that supports key-based renewal for the configured Certificate Template must be available. For details, see Configuring Certificate Enrollment Web Service for certificate key-based renewal on a custom port.

Configure the extension

• Set the extension policy value `use_key_based_renewal` to true.
• Set the extension policy value ‘ces_renewal_url’ to the URL of the Certificate Enrollment Service (CES) endpoint that supports key-based renewal.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Devices > Networks.

   Requires having the Shared device settings administrator privilege.

3. Click Wi-Fi.
4. Add a new EAP-TLS network.
   For details about how to add a Wi-Fi network configuration, see Manage networks.
5. Point the network to the enrollment extension. In the Client enrollment URL field, enter chrome-extension://fhndealchbngfhdoncgcokameljahhog/html/request_certificate.html.

Note: The enrollment extension URL is accessible in Chrome browser even if no networks are configured to enroll at this URL. This setup lets you test the URL manually before you configure any networks or enroll certificates for uses other than EAP-TLS networks, such as certificate-based VPN. Tell users to go to the URL in their browser and skip the network configuration step.

1. On a managed ChromeOS device, go to chrome://policy.
2. Click Reload policies.
3. Scroll to Certificate Enrollment for ChromeOS.
4. For each policy, make sure that the value fields are the same as what you set in the JSON file.