Use case: Require enterprise certificates

Supported editions for this feature: Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Chrome Enterprise Premium.

Enterprise certificates help ensure that user devices are trusted to access services and data in your organization. In this example, you create a Context-Aware Access level that requires user devices to have a company-issued enterprise certificate in order to access apps.

Before you begin

• Ensure that user devices are managed by Chrome Enterprise Core or other device management solutions.
• User devices must have the Endpoint Verification extension installed. Learn how to install Endpoint Verification.

About certificates

• If your company doesn't have a CA certificate and the corresponding client certificates, you can create them through the Google Cloud Certificate Authority Service.
• Client certificates must support Client Authentication (1.3.6.1.5.5.7.3.2).
• On Windows, client certificates must be present in the Current User certificate store. Certificates in the Local Machine certificate store can't be authenticated.

Configure certificate trust

To collect and validate the device enterprise certificate, you must upload the trust anchors used to issue the device certificate. The trust anchors are the root CA (Certification Authority) certificate and the relevant intermediate and subordinate certificates. Follow these steps:

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  DevicesNetworks.
3. Select the appropriate organizational unit.
4. Do one of the following:
   • If there are no certificates In the Certificates section, click Upload certificate.
   • If there are certificates, click the Certificates section, then Add certificate.
5. Enter the certificate name and upload the certificate.
6. Click the Enabled for Endpoint Verification checkbox.
7. Click Add.

Configure Chrome policy

For Endpoint Verification to search the device certificate and collect it through Chrome, you must configure the AutoSelectCertificateForURLs chrome policy.

1. In the Admin console, go to DevicesChromeSettingsUser & Browser SettingsClient certificates.
2. Select the appropriate organizational unit or group.
3. Add the AutoSelectCertificateForUrls policy, using this syntax: {"pattern":"https://[*.]clients6.google.com","filter":{"ISSUER":{"CN":"CERTIFICATE_ISSUER_NAME"}}}

   Replace CERTIFICATE_ISSUER_NAME with the common name of the root CA. Don't modify the value of pattern.

   During the certificate collection and validation process, the client certificate enables the actual mTLS connection to the above clients6.google.com hosts.

Verify Chrome policy configuration

1. Navigate to chrome://policy in the browser.
2. Verify that the configured value for AutoSelectCertificateForUrls is the value set in Step 3 in Configure Chrome policy, above.
3. Ensure that the policy Applies to value is set to Machine. On the Chrome operating system, the value is applied to Current User*.
4. Ensure that the Status for the policy does not have a Conflict. 

   For more information on policy precedence and resolving policy conflicts, see Understand Chrome policy management.

Verify client certificate collection on device

1. (On the endpoint) Sign in and initiate a sync using the Google Endpoint Verification extension.

   During this step, the client certificate is validated on the server side against the trust anchors uploaded in Configure certificate trust above.

2. (Admin console) Go to DevicesMobile and endpoints and locate the device.
3. Verify that the certificate is showing in the Endpoint Verification settings.
4. Note certificate fields such as Root CA fingerprint, Issuer string, or others on this page, and use these values to construct an access level in Configure context-aware access level below.
5. You can use the Endpoint Verification logs to help you troubleshoot any issues. To download the logs:
   1. Right-click on the Endpoint Verification extension and then go to Options.
   2. Select Log levelAllDownload Logs.
   3. Open a case with Google Workspace support and share the logs for further debugging.

Configure context-aware access level

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAccess and data controlContext-Aware Access.
3. Select Access levels.
4. Click Create access level.
5. Add an access level name (for example, "Require enterprise certificate") and an optional description.
6. Under Context conditions, click Advanced.

   In Advanced mode, you build your custom access level in an editing window using using Common Expressions Language (CEL). Go to Create Context-Aware access levels, Define access levels - Advanced mode for details.

7. Add the CEL expression for the access level.

   The access level can test different attributes of the certificate, such as verifying the fingerprint of the root CA certificate (example 1), or checking whether it's a valid certificate issued by a specific issuer (example 2). For a complete list of certificate attributes that can be queried, see the attribute table here.

   1) Valid certificate, verified against trust anchors and signed by the company root certificate:
   device.certificates.exists(cert, cert.is_valid && cert.root_ca_fingerprint == "v2yJUfpL6LkfUFmKVsPr0Czj+Z0LoJzLIk3j4ffJfSg").

   Replace the root fingerprint string with the string you copied in the verify certificate step above.

   2) Valid certificate, verified against trust anchors and issued by a specific issuer:
   device.certificates.exists(cert, cert.is_valid && cert.issuer =="CN=BeyondCorp Demo Device Issuer CA, OU=Enterprise Device Trust, O=BeyondCorp Enterprise, ST=New Jersey, C=US").
8. Click Save. Now you can assign this access level to apps.