Deploying certificates Flashcards
Manage client certificates on ChromeOS devices using the Google Cloud Certificate Connector
Manage client certificates on ChromeOS devices using the Google Cloud Certificate Connector
To securely distribute certificates and authentication keys from your Simple Certificate Enrollment Protocol (SCEP) server to users’ devices, you can use the Google Cloud Certificate Connector. For details, see Use the Google Cloud Certificate Connector or Configuring Certificate Enrollment for ChromeOS via SCEP for a comprehensive guide.
Manage client certificates on ChromeOS devices using the Google Certificate Enrollment extension
Starting with Chrome version 37, partners, such as CAs, infrastructure management vendors, and customers, can write an extension using the chrome.enterprise.platformKeys API to provision client certificates on ChromeOS devices. By using an extension, a wide variety of CAs, enrollment protocols, and any form of web-based workflow can be supported. Customers using Microsoft Active Directory Certificate services can use Google’s Enterprise Enrollment tool to request and install certificates for Chrome devices. For more information, see Use the Certificate Enrollment for ChromeOS extension.
When the chrome.enterprise.platformKeys API user Token is used (id equals “user”), client certificates obtained using extensions are unique to a user and device. For example, a second user on the same device has a different certificate. When the user signs in to another device, a different certificate is issued by the CA. Because client certificates are backed by the TPM, the certificate can’t be stolen and installed on another device or be hijacked by another user. When you remove a user from a device, the certificate is removed as well.
Manage client certificates on ChromeOS devices using a third-party extensionManage client certificates on ChromeOS devices using the Google Certificate Enrollment extension
Verify that you have a Chrome service. See Chrome service options.
Your Admin console makes it easy to deploy and control users, devices, and apps across all ChromeOS devices in your organization. Obtain an onboarding extension using the chrome.enterprise.platformKeys API that implements your onboarding workflow and integrates with your CA. Go to the Chrome Web Store to find an extension for the CA you use. If an extension doesn’t already exist for the CA, you can build one yourself or hire a consultant or vendor to build one for you. For more information, see the Developer Guide. Force-install the extension for your users. The chrome.enterprise.platformKeys API is only available to extensions that are force-installed by policy. See Automatically install apps and extensions. Verify that the network is configured so users in the guest or onboarding network can connect to it, and so the guest or onboarding network can communicate with the CA. In most cases, a guest or onboarding network does not have privileged access, so it can be used only to browse the extranet and to reach the CA for certificate onboarding. The certificate onboarding process can be initiated using this network. You can pre-configure the guest or onboarding network on all the ChromeOS devices that you manage. For more information, see Manage networks. Verify that each ChromeOS device is enrolled in the domain. Only users in the domain where the device is enrolled can use the device certificate. See Enroll ChromeOS devices.
Android VPN configurations
Sign in to your Google Admin console.
Sign in using an administrator account,
From the Admin console Home page, go to Devices and then Chrome.
Click Settingsand then Users & browsers.
To apply the setting to all users, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Go to Network and thenAlways on VPN.
Click Edit.
Select the Android VPN app that you want to use.
Click OK.
Choose an option:
Allow user to disconnect from a VPN manually (VPN will reconnect on log in)—Users can temporarily disconnect from the VPN connection. Do not allow user to disconnect from a VPN manually—Users are connected to the VPN all the time, and cannot disconnect.
Click Save.
Uploading custom SSL/Root CA Certs
Sign in to your Google Admin console.
Sign in using an administrator account, not your current
In the Admin console, go to Menu ““and then”” Devicesand thenNetworks.
Go to Certificates.
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Click Create certificate.
For Certificate, enter a name for the certificate.
Click Upload.
Select the PEM, CRT, or CER file.
Note: Only one certificate can be included in the file. The file will be rejected if it contains no certificate or more than one certificate. DER-encoded certificates are not supported.
Click Open.
For Certificate Authority, select the platforms that the certificate is a CA for.
Click Add.
Deploying Certificates locally
chrome://certificate-manager/ and click Import and Bind in the top right
OR
Deploy the certificate to ChromeOS devices
To deploy the certificate, use an open guest Wi-Fi network. Your ChromeOS devices will authenticate to Google and receive the TLS or SSL certificate. The pushed certificate will apply to all enrolled ChromeOS devices on the primary domain.
Tip: To drive users to switch to your filtered production network after the certificate is downloaded, you can limit the guest network by setting a session-time limit or by restricting access to the Internet. You can also redirect users to information explaining that they must change their Wi-Fi network.
Verify the CA on managed ChromeOS devices
Go to chrome://settings. On the left, click Privacy and security. Click Security. Scroll to Advanced. Click Manage certificates. In the list, find the newly-added CAs.
User Certs
User certificates are bound to a managed user’s session. They can be used for user-level authentication to websites, networks, and third-party applications
Device Certs
Device certificates are bound to a managed device. They’re exposed in multiple places, such as:
Affiliated user sessions for users who are managed by the same domain as the device. Chrome sign-in screens, where the certificates are surfaced to networks and as part of the third-party SAML sign-in flow. Note: Device certificates are only surfaced in a third-party SAML sign-in flow if you configured the Single Sign-On Client Certificates policy. Devices in managed guest session and kiosk mode, where the certificates are surfaced to websites, networks, and third-party apps.
