Sectigo Identity for Chromebooks administrator guide

This document describes how to deploy Sectigo Identity for Chromebooks ("the application") to manage X.509 security certificates on Chromebooks administered using Enterprise Workspace.

Overview

Sectigo Identity for Chromebooks provides the ability for a Chromebook to request and then receive valid X.509 certificates signed by Sectigo, acting as the Certificate Authority.

The certificates are obtained via Sectigo Certificate Manager (SCM) using the Simple Certificate Enrollment Protocol (SCEP). They allow the device and user to participate in authenticated and secure communication with other software systems, such as messaging applications, over cybersecurity protocols, such as TLS/SSL.

The application is delivered as an extension for Chrome. While the extension can be installed onto individual machines one at a time, typically a network administrator will install it onto several machines at once using an Enterprise Google Workspace administrator account.

Due to the nature of the security operations performed by the extension, it must be force-installed onto the target devices from your organization’s Google Workspace account. Please ensure you follow the directions in Securing the application policy configuration to adopt a strong security posture for your Chromebooks.

Audience

This document is intended for IT administrators and network administrators who manage Chromebooks for an enterprise using a Google Workspace administrator account.

Scope

This document contains instructions for deploying the application for Chrome OS. The document assumes familiarity with SCM, Google Workspace, and Chrome device policies.

For more information on Chrome and Device Policy management, see Manage policies for Chrome OS devices.

Additional resources

Prerequisites

The application requires the following:

Hardware: Google Chromebook

Chromebook requires updated firmware if affected by the TPM firmware vulnerability. For more information, see Trusted Platform Module firmware vulnerability.
Software: Chrome OS
Organization:
- Your organization has an SCM account.
- Your organization has an Enterprise Google Workspace account.
- You can host the application’s files in a publicly accessible location for deployment.
  
  Since the extension is not hosted in the Chrome Web Store, it must be hosted at a location accessible to the devices you want it installed on.

The following sections describe the configuration requirements for SCM and Google Workspace.

SCM configuration

SCM is used to deploy both device and client certificates to enrolled devices via SCEP.

Sectigo Identity uses the term user certificate as an equivalent to the client certificate.

The application requires the following SCM features to be configured by your Sectigo account manager:

Device certificates with SCEP enabled, and corresponding RA certificates. When enrolling through SCEP, ensure that the Include root certificates option is disabled in Customer Edit SCEP RA Certificates Configure.
A private CA to issue device certificates.

In addition, your company SCM administrator must set up the following in SCM:

At least one device certificate profile. The private CA enrolling backend specified for the device certificate profile must correspond to the CA certificate chain assigned to the customer account for SCEP.

For greater flexibility, you can make the certificate available for all organizations. To do this, expand the left pane and navigate to Certificate Profiles in SCM, select the device certificate profile, click Delegate, and set the delegation mode to General.

Device certificate SCEP enrollment endpoint, with an account configured for the organizations or departments under which the device certificates are to be enrolled; the account is also used to define the SCEP enrollment access code.

To specify the access code, expand the left pane and navigate to Enrollment SCEP in SCM, select the device certificate SCEP endpoint, and click Accounts. Next, select the device certificate SCEP account, click Edit, and scroll down to the Access Code field.
Device certificates are issued using a private CA. The SCM administrator will need to provide the signed private CA certificate to the Workspace administrator so that it can be deployed to the trust store of the devices under management.

To download the certificate from SCM, expand the left pane and navigate to Issuers Private CAs, select the root private CA, and click Download Certificate. The certificate is in PEM encoded .cer format.

The following SCM details will need to be configured into the application policy profile which you will upload into your Google Workspace control panel:

Customer device enrollment URL: The URL of the SCEP endpoint that will be used to enroll device certificates.

To find the SCEP URL in SCM, expand the left pane and navigate to Enrollment SCEP, select the necessary SCEP enrollment endpoint, and click Edit.
SCEP access code: The device certificate SCEP endpoint access code for the endpoint account associated with the organization or department under which the certificates are to be enrolled.

To view the SCEP access code, expand the left pane and navigate to Enrollment SCEP in SCM, select the device certificate SCEP endpoint, and click Accounts. Then select the account for the relevant organization and click Edit.
Customer client enrollment URL: The URL of the SCEP endpoint that will be used to enroll for client certificates.

To find the SCEP URL in SCM, expand the left pane and navigate to Enrollment SCEP, select the correct SCEP enrollment endpoint, click Edit, and copy the URL.
SCEP access code: The device certificate SCEP endpoint access code for the endpoint account associated with the organization or department under which the certificates are to be enrolled.

To view the SCEP access code, expand the left pane and navigate to Enrollment SCEP in SCM, select the device certificate SCEP endpoint, and click Accounts. Then select the account for the relevant organization and click Edit.

Google Workspace configuration

Google Workspace (formerly G Suite) is a suite of web applications created by Google for businesses. An administrator account can be used to remotely manage multiple Chromebooks for an organization.

Since the application is not currently available in the Chrome Web Store, it must be installed on target devices via a force install. To use the Force install feature, an Enterprise Google Workspace account is required.

This document assumes the following:

Your organization has a Google Workspace Enterprise account.
You are using Google Workspace to administer Chromebooks.
Your Workspace account is configured with organizational units.
You have set up TLS inspection on Chrome devices.

For information on configuring and using Google Workspace for enterprises, see the Google Workspace documentation.

Deploying the application

The process for deploying the application to managed Chromebooks involves several stages. The Workspace administrator must do the following:

Host the application’s sectigo-identity.crx and updates.xml files on a publicly accessible server.
Add the signed private CA root certificate in Workspace, so that the certificate can be pushed to devices under management.
Add the application to your Workspace account and configure it for force install.
Add the application to one or more organizational units in the Enterprise Workspace account, and configure the installation policy for force install.
Configure the application’s policy JSON file and upload it to your Enterprise Workspace account. See Configuring the application policy for more information.

Hosting the CRX file

The ZIP file you obtained from Sectigo contains the following:

sectigo-identity.crx: The application that will be deployed to enterprise Chromebooks.
updates.xml: The configuration file with the application’s Extension ID and the URL of the location where the .crx file will be provisioned from.

To deploy the application to Chromebooks, the sectigo-identity.crx and updates.xml files must be hosted on publicly accessible servers, and the updates.xml file must be updated with the location of the sectigo-identity.crx file.

The updates.xml file is structured as follows.

<gupdate protocol="2.0">
    <app appid="application_id">
        <updatecheck codebase="https://mycompany.com/sectigo-identity.crx" version="application_version"/>
    </app>
</gupdate>

To prepare the application for deployment to Chromebooks under the organization’s management:

Edit the updates.xml file to set updatecheck codebase to the URL of the location where sectigo-identity.crx file will be hosted.

You will use the value of the appid attribute later when adding the application to your Workspace account.
Copy the sectigo-identity.crx and updates.xml files to the locations where you will host them.

They can be hosted on the same or different servers, as long as they can be accessed by Workspace and client Chromebooks.

Adding the private CA certificate to your Workspace account

Because device certificates are issued using a private CA, the signed private CA root certificate must be added to the target devices.

Before proceeding, you need to download the signed private CA certificate from SCM.

To set up the certificate as a CA:

In your Google Admin Console, navigate to Devices Networks.

To access this menu, you must have the shared device settings administrator privilege.
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit:
Under Certificates, click Create Certificate. This displayes the Add certificate screen.
Enter a name for the certificate.
Click Upload, select the private CA certificate (.cer) file downloaded from SCM, and click Open.

DER-encoded certificates are not supported.
Under Certificate Authority, select the Chromebook platform.
Click Add. The certificate will be added under Certificates on the Network tab.

To verify the CA on managed Chrome devices:

Open chrome://settings/certificates.
Click Authorities.
Scroll down to see the newly added CA.

For more information, see Set up TLS (or SSL) inspection on Chrome devices.

Adding the application to your Workspace account

Before the application can be deployed to target devices, it must be added to your Workspace account and configured for force install.

To add the application to your Admin Console:

Log in to Google Admin.
Select Devices under Chrome in the left pane.
In the Devices menu, select Apps & extensions.
Select the organizational unit for which the extension will be installed. You can add a new extension to all organizational units, by selecting the Include all organizational units option, or select individual organizational units in the left pane.
Click the plus button in the lower right of the window.
Select Add Chrome app or extension by ID.

The application ID is stored in the appid attribute in the updates.xml file.

The Add Chrome app or extension by ID dialog will be displayed.
In the Extension ID field, enter the appid from your updates.xml file.
Select From a custom URL from the menu.
Enter the URL of the location where the updates.xml file is hosted.
Click Save.

The application is added to the Apps & extensions list, using the Extension ID as the name.
Under Installation policy, select Force install + pin.

The application is now configured to be automatically installed on Chromebooks enrolled with your enterprise.

Chromebooks that are enrolled to your enterprise will automatically download the application from the location where you have hosted it, and install it.

Updating the application

To provision an updated version of the application:

Replace the sectigo-identity.crx file with the new version.
Update the version field in the updates.xml file.

Chromebooks that are enrolled to your enterprise will automatically download the update from the location where you host it, and install the new version of the application.

Configuring the application policy

The application obtains its configuration from your Google Workspace. The configuration directs the application where to find the SCEP service endpoint and what types of certificates should be enrolled. The configuration is stored in a file which you will create based on the template provided to you by Sectigo. The configuration is presented in JSON format.

{
    "DeviceScepUrl": {
        "Value": "http://cert-manager.com/customer/example/scep/1234546/pkiclient.exe"
    },
    "DeviceScepAccessCode": {
        "Value": "Code1234"
    },
    "DeviceKeyAlgorithm": {
        "Value": "RSASSA-PKCS1-v1_5"
    },
    "DeviceKeyLength": {
        "Value": "2048"
    },
    "ClientScepUrl": {
        "Value": "http://cert-manager.com/customer/example/scep/45678/pkiclient.exe"
    },
    "ClientScepAccessCode": {
        "Value": "Code5678"
    },
    "ClientKeyAlgotithm": {
        "Value": "RSASSA-PKCS1-v1_5"
    },
    "ClientKeyLength": {
        "Value": "2048"
    },
    "ClientKeyUsage": {
        "Value": "sign"
    }
}

The configuration attributes have the following meanings.

Attributes Required Description

Attributes	Required	Description
Device Certificate Attributes
`DeviceScepUrl`	No	The URL of your organizations’s SCEP endpoint that you plan to use for device certificate enrollment. Leave this field blank if you don’t want to issue device certificates.
`DeviceScepAccessCode`	Conditional	The SCEP access code for the device certificate SCEP endpoint. This attribute is required if `DeviceScepUrl` is specified.
`DeviceKeyAlgorithm`	Conditional	The key algorithm to use when generating the keys for device certificates, for example, `RSASSA-PKCS1-v1_5`. This attribute is required if `DeviceScepUrl` is specified.
`DeviceKeyLength`	Conditional	The key length to use when generating the keys for device certificates. Currently, the only accepted key length is `2048`. This attribute is required if `DeviceScepUrl` is specified.
Client Certificate Attributes
`ClientScepUrl`	No	The URL of your organization’s SCEP endpoint that you plan to use for client certificate enrollment. Leave this field blank if you don’t want to issue client certificates.
`ClientScepAccessCode`	Conditional	The Sectigo Certificate Manager SCEP access code for the client certificate SCEP endpoint. This attribute is required if `ClientScepUrl` is specified.
`ClientKeyAlgorithm`	Conditional	The key algorithm to use when generating the keys for client certificates, for example, `RSASSA-PKCS1-v1_5`. This attribute is required if `ClientScepUrl` is specified.
`ClientKeyLength`	Conditional	The key length to use when generating the keys for client certificates. Currently, the only accepted key length is `2048`. This attribute is required if `ClientScepUrl` is specified.

Device Certificate Attributes

DeviceScepUrl

The URL of your organizations’s SCEP endpoint that you plan to use for device certificate enrollment.

Leave this field blank if you don’t want to issue device certificates.

DeviceScepAccessCode

Conditional

The SCEP access code for the device certificate SCEP endpoint.

This attribute is required if DeviceScepUrl is specified.

DeviceKeyAlgorithm

Conditional

The key algorithm to use when generating the keys for device certificates, for example, RSASSA-PKCS1-v1_5.

This attribute is required if DeviceScepUrl is specified.

DeviceKeyLength

Conditional

The key length to use when generating the keys for device certificates.

Currently, the only accepted key length is 2048.

This attribute is required if DeviceScepUrl is specified.

Client Certificate Attributes

ClientScepUrl

The URL of your organization’s SCEP endpoint that you plan to use for client certificate enrollment.

Leave this field blank if you don’t want to issue client certificates.

ClientScepAccessCode

Conditional

The Sectigo Certificate Manager SCEP access code for the client certificate SCEP endpoint.

This attribute is required if ClientScepUrl is specified.

ClientKeyAlgorithm

Conditional

The key algorithm to use when generating the keys for client certificates, for example, RSASSA-PKCS1-v1_5.

This attribute is required if ClientScepUrl is specified.

ClientKeyLength

Conditional

The key length to use when generating the keys for client certificates.

Currently, the only accepted key length is 2048.

This attribute is required if ClientScepUrl is specified.

Securing the application policy configuration

By default, Chromebook users may have the ability to view and alter the execution of any extension loaded into Chrome, which can present a security risk. The application policy that is sent to each Chromebook enrolled with your Google Workspace account contains sensitive information that must be protected. The recommended mechanism for protecting the policy for the Sectigo application is to prevent users from accessing the Chromebook policy information.

Securing the application policy configuration is an optional, but recommended, step to mitigate security risks.

The following instructions serve two purposes:

Disable the user’s ability to view the Chrome policy. This protects against them seeing the SCEP URL and Passcode.
Disable the user’s ability to use developer tools for force-installed apps. This protects against the user trying to view the policy attributes or alter the execution of the application.

To implement the security recommendations:

Log in to your Google Admin Console.
Select Devices under Chrome in the left pane.
In the Devices menu, select Settings.
Select the User & Browser Settings tab.
To protect the policy, change the URL blocking setting.

Enter URL blocking in the search field to find the setting.
Add the chrome://policy URL to the list and apply the changes.
To protect against users tampering with the application, change the Developer tools setting to either Allow use of built-in developer tools except for force-installed extensions or Never allow use of built-in developer tools, and apply the changes.

Enter URL blocking in the search field to find the setting.

Once changes have been applied, users will no longer be able to view the Chromebook policy settings by navigating to the chrome://policy URL, and will not be able to tamper with the execution of the application. These changes don’t affect the use of the application.

Enrolling certificates

Once the application has been set up and added to Workspace, Chromebook users will then do the following:

Enroll their Chromebook with the enterprise.
If the Chromebook is not already being managed by the enterprise, it must be enrolled. This step may be done before the Chromebook is given to the end user. The application is automatically installed on enrolled Chromebooks.
Enroll a device and/or client certificate using the application.

Enrolling a Chromebook with the enterprise

Users with enterprise-issued Chromebooks must be enrolled with the enterprise before the application can be installed.

To enroll a device with the enterprise:

Turn on the Chromebook and follow the on-screen instructions until you see the sign-in screen. Don’t sign in yet.
Click More options, then select Enterprise enrollment.
Enter the username and password that you received from your Workspace administrator.
(Optional) If prompted, enter the asset ID and location, then click Next.
When you get a confirmation message that the device is successfully enrolled, click Done.

The device is now enrolled to the Enterprise Workspace account, and will be visible to the Workspace administrator in the Workspace Admin console.

Once enrolled, the application is automatically force-installed to the Chromebook.

For more information, see Enroll Chrome OS devices.