Push Certificate Authority Via Google Chrome Management

Owned by Josh Hiner
Last updated: Mar 06, 2019
2 min read

General Info

  • If you are doing this for deep scanning you need to exempt the Google log-in sites from deep scanning by using FQDN address entries 
  • The addresses are found here in their SSL inspection Howto page: https://support.google.com/chrome/a/answer/6334001?hl=en&ref_topic=3504941
  • WARNING: You can push certs to a subdomain but they WILL NOT trust. Each user would have to trust them. That is not feasible. You cant push and trust certs to student.domain.com for instance. You can do this for domain.com though as long as the users/devices are in the root domain.

Howto

  1. Sign in to the Google Admin console.
  2. Click Device management.
  3. On the left, click Network.
  4. Click Certificates.
  5. (Optional) On the left, choose the organizational unit where you want to add the certificate.
    Note: The top-level organization is selected by default to give all users (including those in suborganizations) access to any added certificates.
  6. Click Add Certificate.
  7. Choose the certificate file to upload and click Open.
    Note: DER-encoded certificates are not supported. Chrome devices only accept PEM format.
  8. (Optional) If the certificate will be used as a root CA for an SSL-inspecting web filter or to allow the browser to validate the full digital certificate chain of servers, check the Use this certificate as an HTTPS certificate authority box.
  9. Click Save and then Done to confirm.
  10. You will need a way for chrome devices to get the cert/sync the new policy. Dont enable deep scanning until the cert is pushed (or disable deep scanning until the policy is pushed).


Verify the certificate is pushed

Before you begin

  • Users need to sign in with an account in the domain that the device is enrolled in. For example, if the device is enrolled in the school.edu domain, the user needs to sign in with an account that uses the domain, such as user@school.edu.
  • If you have secondary G Suite domain that is managed under a primary domain and the user account is in the secondary domain, you need to enroll the device in the secondary domain. The device’s enrollment domain and signed-in user’s domain must match for the pushed certificate to work.

Verify SSL inspection is working

If Deep scanning is enabled

  1. Sign in to a Chrome device with a user account in the domain where the certificate was applied.
  2. Go to a site where SSL inspection is applied by your web filter.

  3. Verify the building icon is in the address bar. Click it to see details about permissions and the connection.

To simply look at the cert in settings

  1. In the addressbar type chrome://settings/certificates
  2. Click on the Authorities tab
  3. You should see the certificate in the list with a building icon next to it (which means the cert is pushed via google console