Sectigo Identity for Chromebooks user guide

This document describes how to use Sectigo Identity for Chromebooks ("the application") to manage X.509 security certificates on Chromebooks administered using Enterprise Workspace.

Overview

Sectigo Identity for Chromebooks provides the ability for a Chromebook to request and then receive valid X.509 certificates signed by Sectigo (which acts as the Certificate Authority). While the application can be installed onto individual machines one at a time, typically a network administrator will install it onto several machines at once using an Enterprise Google Workspace administrator account.

Due to the nature of the security operations performed by the application, it must be force-installed onto the target devices from your organization’s Google Workspace account.

Prerequisites

The application requires the following:

  • Hardware: Google Chromebook

    Chromebook requires updated firmware if affected by the TPM firmware vulnerability. For more information, see Trusted Platform Module firmware vulnerability.
  • Software: Chrome OS

  • Organization: Your organization has an SCM account and an Enterprise Google Workspace account. Your organization’s IT administrators have configured device certificate SCEP enrollment.

Understanding the application’s popup menu

When the application is installed on a Chromebook, it will appear in the extension’s bar in the browser. When selected, the application shows a pop-up menu with which you can interact.

Sectigo Identity application popup menu
  1. The language this application popup uses to display text. Currently the only supported language is English.

  2. Click the user icon for information about the client certificates. Sectigo Identity uses the term user certificate as an equivalent to the client certificate.

  3. Click the device icon for information about the device certificates.

  4. Click the question mark for information about the application, including links to the online documentation.

  5. If the application requires some action from you, a red badge will appear on the Sectigo icon.

Enrolling a certificate on Chromebook

If your organization has completed the deployment and configuration of the application to your Chromebook, and the Chromebook is managed by your organization’s Google Enterprise account, you can start the enrollment process for a certificate.

Don’t click away from the popup until the enrollment process is complete, otherwise you will have to start over.

Enrolling a device certificate

Click the device icon to start the enrollment process for a device certificate. After you click the icon, the enrollment proceeds with no further input required from you.

Device certificate
Only one device certificate can be issued per Chromebook. Each user who logs into the Chromebook using their Google Enterprise account will see the same device certificate.

Enrolling a client certificate

Click the user icon to start the enrollment process for a personal client certificate. After that, no further input is required from you.

Client certificate
Each user of a Chromebook is enrolled for their own certificate. If you have an account on different Chromebooks, you will have a unique client certificate on each Chromebook.

Viewing the provisioned certificate

To view the new certificate:

  1. Open a new tab and enter the following URL: chrome://settings/certificates

    Certificates in Chrome OS

    All available certificates are listed on the Your Certificates tab, under the name of the SCM organization for which the certificates were enrolled.

  2. Click the down arrow next to the organization to list the certificates.

    List certificates

    The certificate name is the device serial number or the user’s email name, depending on the certificate type.

  3. Click More actions (the three dots icon) next to the certificate and select View to view the certificate.

    View certificate

    The General tab will display the certificate issuer, who it is issued to, and the certificate validity period.

    Certificate viewer

Renewing a certificate

When certificates are within 14 days of their expiry date, the application will warn you that expiry is approaching and the certificate(s) should be renewed. A warning badge will appear on the Sectigo application icon indicating that you need to address an issue, which in this case is the approaching expiry of a certificate. The following is an example of an expiring device certificate.

Certificate expiry

A similar message would appear for the approaching expiry of a client certificate. Once you click the link, the application will begin the process of updating the certificate to obtain a new one.

Certificate enrollment errors

If the application fails to enroll a certificate, it will signal to you that something in the application requires your attention. The Sectigo application icon will include a warning indicator that you need to address an issue.

When you open the application’s popup menu, the certificate needing attention will display a message explaining the failure. If you hover over the message, the specific error message will be displayed. This information can be provided to the IT department to help diagnose the issue.

Enrollment errors