Student using Chromebook

Automated Certificate Management for Google Chromebooks

When the pandemic hit, employees were forced to work remotely, and students were required to enter distance learning. As Google Chromebooks are relatively affordable and provide integration with all distance learning tools, educational institutions adopted Google Chromebook as the standard. As a result, Chrome OS became the second most popular desktop operating system globally, surpassing macOS and taking second place to Windows, according to IDC data.

Securing Chromebooks With PKI

Google Chromebooks are primarily used online with WiFi networks, so security is of the utmost concern. It can be challenging in educational environments where IT support resources are limited. An effective way to protect Google Chromebooks is with public key infrastructure (PKI) using digital certificates. Once the certificate is deployed in Trusted Platform Module (TPM), a passwordless approach can be used to authenticate to the corporate wireless or wired network.

Google provides the Certificate Enrollment for Chrome OS extension. This extension provides an out-of-the-box certificate enrollment experience for Chromebooks in enterprises with a deployment of Microsoft public key infrastructure based on Active Directory Certificate Services (AD CS). Once installed on managed devices, this extension will allow users to generate hardware-backed keys and use them to request certificates from AD CS.

Yes, you read that right: it only works with AD CS. Google doesn’t have a solution available if you don’t have AD CS deployed in your environment.

Automated Certificate Management With PKIaaS

HID’s PKI-as-a-Service (PKIaaS) provides a unique way to automate certificate provisioning and management even if you don’t have AD CS deployed. Five components make up the certificate automation solution for managed Chromebooks.

As an enterprise or educational institution, you may have deployed the first three components. HID’s PKIaaS solution provides the last two components to create completely automated certificate provisioning and management for Google Chromebooks.

  1. Google MDM — Used to host the Certificate Enrollment extension and enforce enterprise control of managed Chromebooks.
  2. Chromebooks — The make/model of Chromebook doesn’t matter, but Google MDM must manage it.
  3. An Identity Provider — This is an external-facing federated identity solution commonly used by enterprises to enable single sign-on (SSO) authentication to employees for internal or external applications.
  4. A PKI-Aware Request Proxy — Sitting within a hosted environment, it’s managed on your behalf. Its main two jobs are to ensure:
    1. That an incoming certificate request is from a Chromebook managed by your organization.
    2. That the user making the request has been authenticated by a service trusted by your organization.
  5. A Private PKI-as-a-Service Managed by HID Global — We provide support for a broad range of certificate types signed by your organization’s hosted issuing CA that may be deployed to Chromebooks.

Learn more about implementing Zero Trust Security for Google Chromebooks using PKI in this white paper or you can talk to a PKI expert.

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).