Many companies today have a website that requires authentication via certificates instead of usernames and passwords and almost all enterprises have some sort of certificate-based authorization with their network. In this episode of CloudUp, we dig into client certificates and how to use them with Chrome Enterprise.

Meet the Speakers

Mitchell Steele

Google Chrome Sales Manager

Ray Pitmon

Solution Architect in Advanced Services

Transcript

Ray

Most client based certificates are user based. For an example with the Chromebook as user can log into the Chromebook and then go through a process where they download a certificate. The certificate has information embedded in it that they know it belongs to that user, gets installed on Chromebook and then the Chromebook will use that to connect to the network after that.

Mitchell

Interesting. Hey everyone. Today we’re talking about client certificates and how to use them with Chrome Enterprise. So what is a client cert?

Ray

So a client cert you install it on a Chromebook, it can be associated with the device or user and it’s used to authenticate the user to websites. So a lot of companies will have a website that requires authentication via certificates instead of usernames and passwords. And then they’re also used and probably more commonly used to authenticate the devices on like a Wifi network. So you can configure your Chromebook to connect to the Wifi network that requires like a corporate network that requires a specific certificate that you’ve had installed on the device. So by doing that you can obviously keep other devices off of your network.

Mitchell

Is this something that’s pretty common in enterprises today?

Ray

Oh yeah. Almost all enterprises have some sort of certificate based auth with their network.

Mitchell

And does that ever factor into things like single sign on or authentication?

Ray

Yeah. So most client based certificates are user based. For example with a Chromebook a user can log into the Chromebook and go through a process where they download a certificate. The certificate has information embedded in it that they know it belongs to that user, gets installed on the Chromebook and then the Chromebook will use that to connect to the network after that.

Mitchell

Interesting. So Ray how do most companies issue certificates or install certificates on their machines?

Ray

The easiest way and I think the way most people do it is through Microsoft Windows. So you’ll set up a Windows server as a CA and Google built a Chrome extension, so you install Chrome extension on your devices. That extension communicates with Microsoft server to pass credentials to the server and download certificate, install the certificate on the device in it’s TPM.

Mitchell

Got it. And that’s the machine cert that’s on the actual device itself?

Ray

Yeah. It can be machine cert or Microsoft can generate user based certs as well.

Mitchell

Okay. So if I’m in an organization that actually requires both maybe I have a machine cert to get access to my network and then a user cert to get, like you talked about earlier, a user cert to get access to certain web applications internal or something like that?

Ray

Yeah you can install both. That extension will let a user request certificates, basically enroll a certificate, so communicate with the server and download the specific type of certificate onto the device. In some cases people will actually create, and we’ve done this for people, create a custom extension so you may want to send custom information to the certificate server to download to customize the actual information or log that certs happened. There are multiple reasons that you might want to do that. So you can create your own custom extension and use the same APIs that Google uses in their extension to install this cert as well.

Mitchell

Got it. And why would you need or want to use a custom extension? As opposed to the Google made one? Or maybe even if you have a third party like Aruba or Cisco some of the products have Chrome extension already built, but why would you maybe want you own extension?

Ray

Well say you had a custom workflow that you needed to follow and in some cases you might install a bootstrap certificate that will allow you to get your device on an internal network and then the second step might be to install the real certificate associated with the user. And that would be one thing where if you wanted to make a more seamless experience for your users, you’d want to create a custom…

Mitchell

Extension.

Ray

Yes. Create a custom extension.

Mitchell

And I know this is something we’ve done for several customers and was that most of the reason why is the custom workflows they needed?

Ray

Yes. We’ve also done some work where we’ve integrated with CAs that weren’t supported that there wasn’t an extension already available. So we kind of had to start from scratch and use APIs to communicate with a CA. So we used the external APIs to talk to the CA, pass the information about the user, the device things like that to the CA. Get a certificate back from the CA and then use the internal Chrome APIs to install that certificate on the device.

Mitchell

Got it. So if I’m an organization and I have a Microsoft CA, one of the versions we mentioned earlier, how do I go about getting Chromebooks on my network?

Ray

I suppose you kind of have a chicken and egg thing going, right? The device isn’t on the network, it doesn’t have a cert, how do you get it on a network? You might have another Wifi network that was configured to allow access just to that CA. And the internet because user logs into the device and then it can access that CA directly and download the certificate. And then Chrome will automatically switch over to use the more secure network. Some people also will use ethernet. So they’ll actually plug in an ethernet cable after they do the Chromebook. And we’ve also had customers that will actually load a temporary cert and I kind of mentioned this earlier, where they’ll load a temporary cert on a USB key, plug the key in, go through a process of pulling the certificate off the key, installing it on the device. That certificate will allow them to have access to the network. In a lot of cases they may stay with that certificate or they might switch out that certificate that’s specific to a user.

Mitchell

And I’m assuming the reason they would maybe use a bootstrap certificate is maybe they’re having their devices enrolled by a third party or a IT provisioning company so they don’t have to touch each one, but then that way they don’t also have to hand that third party company an internal certificate. Is that usually what you see people doing?

Ray

Yeah, right. You can imagine that if you order a lot of Chromebooks you might have a company do some sort of white gloving service where they do some sort of pre configuration of the Chromebook and one of those things might be to install the certificate on that Chromebook that will allow it to get some level of access to your network. So then you can ship your devices directly out stores or wherever they’re going, offices things like that.

Mitchell

Cool. So I know we talked a lot today about Microsoft CAs, I think it’s probably important to know the other network providers that have CAs or have their own certificate authorities, Cisco ISE is a good example I know. Aruba also has a solution. They’ve actually built solutions for Chrome OS as well too by building their own extensions that you can push out across your network. You also have the option of if you need something custom, having that built as well too.

Ray

Right. And the one thing we didn’t really talk about was we mentioned it was using certificates for authentication. So in a lot of cases companies will build like a website that doesn’t use user name password, but uses certificates to authenticate and you can push those types of certificates as well down to the devices. And in some cases we’ve seen where and this is where the bootstrap certificate comes in, you can have a bootstrap certificate installed on a device which then allows the device to communicate with the CA to install the final certificate. So then if you had your CA available on this Wifi network that was kind of open but not really open and you allowed any device to connect to it of course if they have the login information for that or if it was even public, the device could connect to it. It could access the CA but it couldn’t authenticate it because it didn’t have that certificate on it. You wouldn’t have to worry about people bringing their own devices, plugging it in to the network, and being able to access that CA to download certificates.

Mitchell

Got it. So it’s another security protocol? It’s another level of security then. To make sure that every device is company owned.

Ray

Right. Because the certificates are installed on the devices and can be configured against all oncoming devices.

Mitchell

Cool. Thanks for watching this episode of Cloud Up. Are you using certificates at your organization? Drop a comment. Let us know how using them with Chrome Enterprise.