Troubleshoot digital certificate requests

Applies to managed Chromebooks only.

As an administrator, you can remotely force-install the Certificate Enrollment for Chrome OS extension for your users. Then, they can request user or system certificates from your Certificate Authority (CA), allowing them to authenticate themselves to relevant services.

Here's how to fix problems you might have when users request digital certificates.

Error messages in extension’s UI

Could not find a valid system token. Your device may not be enrolled in the domain, or you may not have rights to request a system certificate.

Make sure that the Certificate Enrollment for Chrome OS extension is force-installed for your users.

Error messages in Chrome console logs

Could not enroll to the specified uri.

Check the permissions for authenticated users set in the CA template. Then, make sure that relevant users have the appropriate privileges.

Extension requests incorrect enrollment endpoints.

Check the Certificate Enrollment for Chrome OS extension’s console logs to make sure the URL request is correct.
  • Correct URL request—https://userNameGoesHere:passWordGoesHere@yourCEPServiceUriGoesHere
  • Incorrect URL request—chrome-extension://userNameGoesHere:passWordGoesHere@fhndealchbngfhdoncgcokameljahhog/html/request_certificate.html

Users might have URL request issues when the Certificate Enrollment for Chrome OS extension is first installed and has no existing state information. Or, issues might arise when the extension is updated and loses its previous state information.

When you want to push a new or updated policy to the extension, first push an empty policy so that all current policy values are flushed and reset. Then, push the policy you want.

  1. Push an empty policy.
  2. Verify policies are applied on users’ devices.
  3. Push the policy you want.
  4. Verify policies are applied on users’ devices.
  5. Refresh the Certificate Enrollment for Chrome OS extension.

No enrollment uris available to enroll to.

In most cases, the Certificate Enrollment Policy (CEP) can’t find your configured template. Check the CA for the more typical causes:
  • Make sure that you configured the role services for Certificate Enrollment to accept username and password authentication (not Kerberos, for example).
  • Make sure that your extension configuration is defined to use the correct CA template.
  • Ensure that the value entered in the user_enrollment_templates policy in the JSON file is the same as the CA’s Template name, not the Template display name.
  • Check the permissions for authenticated users set in the CA template. Then, make sure that relevant users have the appropriate privileges.
Was this helpful?
How can we improve it?