Deploy Smart Cards on Chrome OS

As an admin, you can deploy Smart Card support on Chrome OS across your organizational unit. You can also install smart card apps on your personal device. For more details, see Use Smart Cards on Chrome OS.

Step 1: Force Install the Smart Card Connector app

You need to automatically install the Smart Card Connector app for users in your organizational unit. For information about how to force-install specific apps, see Automatically install apps and extensions.

Using the Smart Card Connector app you can provide Chromebooks with PCSC® support. This PCSC API can then be used by other applications such as smart card middleware and Citrix® to allow your users to use their smartcards inside a Citrix-provided Microsoft® Windows® session. For example, with browser integration and virtual session redirection. 

Note: The Smart Card Connector app tries to automatically detect and work with smart card readers but not all smart card readers are supported. Google only supports smartcard readers which are supported by libccid. Readers in the supported and should work categories are expected to work reliably.

For details, see a list of supported smartcard readers here.

Step 2: Force Install a Smart Card middleware app

Next you need to install the middleware app. For information about how to force-install specific apps, see Automatically install apps and extensions.

There are 2 main middleware apps available:

  • CSSI, which is supported by Google
  • CACKey

Middleware apps can communicate with smart cards and provide client certificates to authenticate users to HTTPS websites. Google has partnered with DriveLock® to provide support on Chrome OS for a wide range of cards and profiles, including CAC (Common Access Card) and PIV (Personal Identity Verification Card) cards.

You can find the DriveLock middleware provider on the Chrome Web Store. See CSSI Smart Card Middleware.

The connector app provides a public API that other middleware apps can also use. To deploy a different middleware, contact support.

Step 3: Push all necessary root and intermediate certificates

Depending on the sites users try to access, you might need to install trust roots and intermediaries on their devices. Identify those certificates and push them to users’ profiles.

For details, see Set up an HTTPS Certificate Authority.

Important: Installing a root certificate on a device is a sensitive operation. Make sure you only install root certificates you obtained and verified from sources you trust.

Step 4: Configure Smart Card Connector to auto-allow communication

Apps like Citrix and DriveLock need to contact the Smart Card Connector to communicate with users’ cards and readers. As cards and readers contain sensitive user information, the connector app show users a permission dialog before granting access to any app.

You can auto-grant permissions in the Admin console. For information on installing custom policies for apps and extensions, see Policy for extensions.

Important: Allowlisting these apps potentially provides third parties access to users' personal information such as certificates on a smart card. Make sure you have the appropriate notification and consent flows with users for collecting and sharing their personal information.

Step 5 (Optional): Configure Chrome OS to auto-select certificates for URLs

You can configure Chrome OS to automatically select certain certificates for certain URLs. In the default case, users are presented with a list of certificates that match a certain website.

You can set the Auto​Select​Certificate​For​Urls policy to remove that step by pre-matching users’ certificates to certain URL patterns. For more information and example values, see Set Chrome policies for users or browsers.

Users can sign in from any Chromebook with their Google username and password to start using their smart cards. The settings you configured are downloaded and applied. Users can navigate to HTTPS websites and they are prompted to use certificates detected on their smart cards to authenticate them into their remote systems.

Step 6 (Optional): Configure Virtual Desktop Environment

If you're using a virtual desktop environment such as Citrix or VMware®, you must configure them to allow smart card access as well as smart card redirection into the virtualized session.

For full configuration instructions see the various vendor sites.

Known Issues

Chrome OS not matching certificate on card

There might an issue with configuration of root and intermediary certificates. Make sure that you followed the instructions to set those properly. If it keeps happening, file a bug report with more information.

Chrome OS keeps connection open after card is removed

If a user removes their card, Chrome OS does not end their session with that server. This is working as intended and is also the default behavior for Chrome OS on other platforms. Chrome OS only tries to authenticate again when challenged by the server.

We recommend you set server timeouts that requires the user to sign in again at regular intervals. If you are testing and need to force the user to sign in to the server again, try using an Incognito window, which does not use the previous session and is not retained in subsequent requests.

No UI feedback on wrong PIN

If users enter a wrong PIN, DriveLock does not tell the user that this has happened. The user needs to navigate to the site to be asked for the PIN again.

Certificates provided are not filtered

All certificates are provided to the system regardless of their type. For example, certificates for email signing are also shown in the list. This might lead to user confusion. You must properly configure certificate auto-selection to avoid confusion in the deployment.

Reporting Bugs

If you run into problems during deployment, you can submit a bug report on the issue. Bug reports must contain:

  • A description of the issue and instructions to reproduce it, preferably including a screencast. There are several third-party Chrome OS apps that can capture screencasts such as Screencastify®.

  • The website you are trying to connect to. File separate bug reports for separate websites.

  • System, card, and reader Information.

    • Chrome OS version

    • Type of smart card reader

    • Smart card information—smart card vendor, type, and profile

  • Smart Card Connector logs. The screen for the Smart Card Connector has a link at the bottom that allows the user to export the logs. This copies all logs onto the clipboard. Use any text editing app to save those logs and add to the bug report.

  • Middleware app logs. Each middleware app has its own method to extract logs. For example, in the DriveLock app, logs can be extracted from the developer console.

    1. Go to chrome://extensions.

    2. On the top-right corner, select Developer mode.

    3. Scroll to the DriveLock extension and select background page.

    4. At the top, select Console.

    5. Right click anywhere in the list and select Save as… to export the logs.

  • chrome://net-internals export

    Some issues might be related to the way Chrome OS is handling client connections. Chrome OS logs can be extracted by going to chrome://net-internals/#export. The logs only start populating when you navigate to the URL, so make sure you navigate prior to running the buggy scenario.

    Note: As logs can be very large, try restricting your log capture to only the buggy scenario. For example, don't perform a Google search while you are capturing logs.

When you have completed the bug report, contact support.

Was this helpful?
How can we improve it?