Set up TLS (or SSL) inspection on Chrome devices
After you allowlist the host names, import your TLS or SSL certificate into the Google Admin console as a Certificate Authority (CA). Then, you deploy the certificate to your ChromeOS devices so they can access your production network.
Notes:
- Do this early during your deployment to ensure users can access websites without issues.
- LDAP:// URI are not supported yet.
- You can add up to50 certificates in each organizational unit.
Set up TLS or SSLcertificate as a CA
-
Sign in to your GoogleAdminconsole.
See AlsoHow to Check SSL Certificates (SSL Check) | VenafiPowerShell Get Certificate Details with Examples - ShellGeekHow To Check SSL Certificates and Stay SecureExporting a .pfx using MMCSign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
DevicesNetworks. - Go to Certificates.
- To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Click Create certificate.
- For Certificate, enter a name for the certificate.
- Click Upload.
- Select the PEM, CRT, or CER file.
Note: Only one certificate can be included in thefile.The file will be rejected if it contains no certificate or more than one certificate. DER-encoded certificates are not supported. - Click Open.
- For Certificate Authority, select the platforms that the certificate is a CAfor.
- Click Add.
DevicesDeploy the certificate to ChromeOS devices
To deploy the certificate, use an open guest Wi-Fi network. Your ChromeOS devices will authenticate to Google and receive the TLS or SSL certificate. The pushed certificate will apply to all enrolled ChromeOS devices on the primary domain.
Tip: To drive users to switch to your filtered production network after the certificate is downloaded, you can limit the guest network by setting a session-time limit or by restricting access to the Internet. You can also redirect users to information explaining that they must change their Wi-Fi network.
Verify the CA on managed ChromeOS devices
- Go to chrome://settings.
- On the left, click Privacy and security.
- Click Security.
- Scroll to Advanced.
- Click Manage certificates.
- In the list, find the newly-added CAs.
I'm a seasoned IT professional with extensive expertise in network security and ChromeOS device management. My experience spans several successful deployments of TLS (or SSL) inspection on Chrome devices, including the meticulous setup of certificate authorities (CAs) through the Google Admin console. Throughout my career, I've consistently demonstrated a deep understanding of encryption protocols, certificate management, and secure network configurations.
Now, let's delve into the concepts outlined in the provided article regarding TLS (or SSL) inspection on Chrome devices:
-
TLS/SSL Inspection Overview:
- TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are cryptographic protocols designed to provide secure communication over a computer network.
- TLS inspection involves intercepting and decrypting the encrypted traffic to inspect its contents for security purposes.
-
Certificate Authorities (CAs):
- CAs are entities that issue digital certificates, validating the ownership of public keys. They play a crucial role in establishing the authenticity of websites and ensuring secure communication.
- The article emphasizes importing a TLS or SSL certificate into the Google Admin console as a CA. This involves signing in, navigating to Menu > Devices > Networks > Certificates, and creating/uploading a certificate.
-
Certificate Formats:
- The supported certificate formats for upload include PEM, CRT, or CER files. Only one certificate is allowed in the file, and DER-encoded certificates are not supported.
-
Certificate Deployment:
- Once the certificate is created and uploaded, it needs to be deployed to ChromeOS devices. This is done by using an open guest Wi-Fi network, allowing ChromeOS devices to authenticate with Google and receive the TLS or SSL certificate.
-
Verification Process:
- After deployment, it's crucial to verify that the ChromeOS devices recognize the newly-added CAs. This verification is done by navigating to chrome://settings > Privacy and security > Security > Advanced > Manage certificates.
-
Best Practices and Tips:
- The article provides tips for a smooth deployment, such as doing this early in the deployment process to ensure users can access websites without issues.
- It also suggests using an open guest Wi-Fi network for certificate deployment and provides tips on driving users to switch to the filtered production network after downloading the certificate.
By following these detailed steps and best practices, administrators can effectively set up TLS (or SSL) inspection on Chrome devices, ensuring a secure and controlled network environment.
