Deploy Smart Cards on Chrome OS

As an admin, you can deploy Smart Card support on Chrome OS across your organizational unit. You can also install smart card apps on your personal device. For more details, see Use Smart Cards on Chrome OS.

Step 1: Force Install the Smart Card Connector app

Using the Smart Card Connector app you can provide Chromebooks with PCSC® support. This PCSC API can then be used by other applications such as smart card middleware and Citrix to provide functionality on top. For example, with browser integration and virtual session redirection.

You need to automatically install the Smart Card Connector app for users in your organizational unit. For information about how to force-install specific apps, see Automatically install apps and extensions.

Note: The Smart Card Connector app tries to automatically detect and work with smart card readers but not all smart card readers are supported. The app builds on top of libccid which lists supported readers here. Readers in the “supported” and “should work” categories are expected to work reliably.

Step 2: Force Install a Smart Card middleware app

Next you need to install the middleware app that can communicate with smart cards and provide client certificates to authenticate users to HTTPS websites. Google has partnered with Charismathics® to provide support on Chrome OS for a wide range of cards and profiles, including CAC  (Common Access Card) and PIV (Personal Identity Verification Card) cards. You can find the Charismathics middleware provider on the Chrome Web Store. See CSSI Smart Card Middleware.

For information about how to force-install specific apps, see Automatically install apps and extensions.

Note: The connector app provides a public API that other middleware apps like CACKey can also use. To deploy a different middleware, contact support.

Step 3: Push all necessary root and intermediate certificates

Depending on the sites users try to access, you might need to install trust roots and intermediaries on their devices. When those certificates are identified, you can follow the instructions in Set up an HTTPS Certificate Authority to push those certificates to users’ profiles.

Important: Installing a root certificate on a device is a sensitive operation. Make sure you only install root certificates you obtained and verified from sources you trust.

Step 4: Configure Smart Card Connector to auto-allow communication

Apps like Citrix® and Charismathics need to contact the Smart Card Connector to communicate with users’ cards and readers. As cards and readers contain sensitive user information, the connector app show users a permission dialog before granting access to any app.

You can auto-grant permissions in the Admin console. For information on installing custom policies for apps and extensions, see Policy for extensions.

Important: Whitelisting these apps potentially provides third parties access to users' personal information such as certificates on a smart card. Make sure you have the appropriate notification and consent flows with users for collecting and sharing their personal information.

Step 5 (Optional): Configure Chrome to auto-select certificates for URLs

You can configure Chrome OS to automatically select certain certificates for certain URLs. In the default case, users are presented with a list of certificates that match a certain website. You can set this policy to remove that step by pre-matching users’ certificates to certain URL patterns. For more information and example values, see Set Chrome policies for users or browsers.

Users can sign in from any Chromebook with their Google username and password to start using their smart cards. The settings you configured are downloaded and applied. Users can navigate to HTTPS websites and Chrome prompts them to use certificates it has detected on their smart cards to authenticate them into their remote systems.

Step 6 (Optional): Configure Virtual Desktop Environment

If you're using a virtual desktop environment such as Citrix® or VMware®, you must configure them to allow smart card access as well as smart card redirection into the virtualized session. For full configuration instructions see the various vendor sites.

Known Issues

Chrome not matching certificate on card

There might an issue with configuration of root and intermediary certificates. Make sure that you followed the instructions to set those properly. If it keeps happening, file a bug report with more information.

Chrome keeps connection open after card is removed

If a user removes their card, Chrome does not end their session with that server. This is working as intended and is also the default behavior for Chrome on other platforms. Chrome only tries to authenticate again when challenged by the server. We recommend you set server timeouts that requires the user to sign in again at regular intervals. If you are testing and need to force the user to sign in to the server again, try using an Incognito window, which does not use the previous session and is not retained in subsequent requests.

No UI feedback on wrong PIN

If users enter a wrong PIN, Charismathics® does not tell the user that this has happened. The user needs to navigate to the site to be asked for the PIN again.

Certificates provided are not filtered

All certificates are provided to the system regardless of their type. For example, certificates for email signing are also shown in the list. This might lead to user confusion. Properly configuring certificate auto-selection is crucial in cases like these to avoid confusion in the deployment.

Reporting Bugs

If you run into problems during deployment, you can submit a bug report on the issue. Bug reports must contain:

  • A description of the issue and instructions to reproduce it, preferably including a screencast. There are several third-party Chrome apps that can capture screencasts such as Screencastify®.

  • The website you are trying to connect to. File separate bug reports for separate websites.

  • System, card, and reader Information.

    • Chrome OS version

    • Type of smart card reader

    • Smart card information—smart card vendor, type, and profile

  • Smart Card Connector logs. The screen for the Smart Card Connector has a link at the bottom that allows the user to export the logs. This copies all logs onto the clipboard. Use any text editing app to save those logs and add to the bug report.

  • Middleware app logs. Each middleware app has its own method to extract logs. For example, in the Charismathics® app, logs can be extracted from the developer console.

    1. Go to chrome://extensions.

    2. On the top-right corner, select Developer mode.

    3. Scroll to the Charismathics extension and select background page.

    4. At the top, select Console.

    5. Right click anywhere in the list and select Save as… to export the logs.

  • chrome://net-internals export. 

    Some issues might be related to the way Chrome is handling client connections. Chrome logs can be extracted by going to chrome://net-internals/#export. The logs only start populating when you navigate to the URL, so make sure you navigate prior to running the buggy scenario.

    Note: As logs can be very large, try restricting your log capture to only the buggy scenario. For example, don't perform a Google search while you are capturing logs.

When you have completed the bug report, contact support.

Was this helpful?
How can we improve it?